security

Henning Rohde Rohde.Henning at gmx.net
Wed Oct 10 07:42:17 PDT 2001


Hi Fergus,
hi everybody else,

hmm, Fergus, please explain what do you want to achive, what are you 
afraid of?

You wonder why I'm asking although you've given quite some details?
The security-requirements for any system depends on the purpose you want 
to use it for.


If you wanted to setup your box like some surfing-station in an 
internet-café, you were told keep your [anonymous] user from 
re-configuring the desktop, and to keep him from doing some harm on the 
shell, because anything else would mean neverending labour at reverting 
the tweaks the users had made.
-> how this could be achived you'll definitly be able to find somewhere 
on the web, IIRC there's a 'kiosk-mode' for instance in KDE.
-->> What you must consider if you'd like to setup your private 
workstation like this is, that the restrictions you've setup will hinder 
your daily work, so you'll find yourself in doing daily work being 
'super-user' the whole time!

If you'd like to setup a server, I'd recommend that it's serving only 
one single service, anything else raises the risk of losing data because 
of an exploit in a sevice that appears unimportant and is because of 
that  seldomly updated.
-> Because there's only one open port on it, there's no need to do 
firewalling, except for special cases, see my firewalling-hint.
-->> If you can't afford this layout you've to make a compromise at 
security.

If you were responsible for a big amount of computers, each one probably 
insecure, you could benefit by using a firewall.
-> you could restrict any access from the internet to these computers.
-->> Your user will very soon tell you that 'something is not working 
anymore', so you'll have to loose the firewalling-rules, mostly upto 
some level that would mean a total ineffectivness of the firewall!


But in the case that
-> you're having your own computers, less than a handfull of them.
-> you know of the programs you've installed on them.
-> you're the only one that's doing any work on it, or,
    you trust your users, nobody will do any harm just for fun!
-> you're doing 'all days work' being some 'normal' user,
    having restricted access, NOT root.
-->> (A) what you fear is, that you make some mistake and delete, for
	instance, '/usr', or change by accident root's password to
	something weird.
-->> (B) what you fear is, that your filesystem gets damaged in an
	power-failure
-->> (C) what you fear is, that you delete your documents by mistake,
	or your harddisk sounds weird and you have no backup,
	or the backup on the old floppies proves unreadable.
-->> (D) what you fear is, that somebody bad scans your masquerading
	router and  finds a service you've misconfigured, e.g., X11.
-->> (E) You've to use proprietary software, and fear that there's some
	trojan implemented in it.

Is this the case you're thinking about? Have I forgotten something?

--->>> This is the case where the hard labour begins:	;-)


(A+B) Think about some elaborated layout of your filesystems:
/, /bin, /dev, /etc, /lib, /sbin, /usr	\
	on a seperate partition, mounted read-only
/boot 		- " -,			- " -
/home 		- " -,		eventually mirrored
/opt, /usr/local, /usr/X11		\
		- " -,		mounted read-only
/root 
	- " -,		mounted writeable
/var, /tmp	- " -,			- " -

If you install any software you'll be able to remount the read-only 
mounted partitions rw, remounting them ro immediately after the 
installation, so your filesystem will be OK in the case of a power-failure.

If you ask which filesystems I recommend, I don't know, but I would 
chose some fs thats capable of journalling for at least those that are 
mounted writeable in daily use, if not for all.

BTW: You may get a simpler layout if you make intensive use of symlinks 
or if you use the new Linux2.4 feature of 'mount -o bind /var/tmp /tmp'.

If you would really like to setup this layout, please ask again, I'll 
tell you of my experiences in doing so, some of the bootscripts have to 
be changed.

(C) Do regular backup your documents, on floppies, on tapes, on your 
harddisks, whatever you can afford.
If you are very conscious about your documents, encrypt the archive and 
transfer it to somebody you pay for keeping it [=webspace].

(D+E) Setup your own 'personal firewall', as lined out in my hint.


These are just my EUR 0.02, I hope they do help you,

	Henning


PS: excuse me for starting a new thread, but I couldn't find your first 
mail as a posting in the newsgroup.

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list