-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Douglas Allan Tutty wrote: > Reflecting on recent posts re allowing root login (related, but I didn't > want to steal the thread), I'm wondering about a home network and what > to bother with. There's a touch of devil's advocate in this but the > concept that physical access == root access causes one to wonder. > > If I have two boxes, with two users, linked by ethernet and one box is > on dial-up to the ISP, with nothing listening on external ports except > the ntp daemon, what is a reasonable stance on security? > > Given that anyone who breaks into the house will have physical access to > the consoles anyway, do I need a whiz-bang long root password, strong > passwords on the regular uses, and all the other hypervigalance? >
Well, if you consider that, you also might want to consider making sure the systems cannot boot from a CD, USB or anything else than the HD where Debian is installed and make sure that the BIOS has a password protect to prevent someone from changing this. Because if someone with a liveCD comes along, all the strong passwords you want won't save your data. Now encrypting it all might save you, but do you really need to go that far? I guess this is what you mean by hyper vigilance. > If ssh isn't even listening on external interfaces, does it matter if I > allow root to ssh (useful for rsyncing backups between the boxes)? > > Why bother to rsync instead of just nfs mounting the backup repository? > If you are positive there are no ways into the computer through your internet connections, then nfs is fine. For a closed system, there is no problem. > If I need to run a backup, other than it being 'proper', why not just > login as root instead of myself and su? > > Note that I am _not_ suggesting that I just do everything as root; then > I loose the protection from myself. That is what I do, but I make sure that the internet is down when I do that, so there is no chance of someone coming in, or anything going out while I am backing up, just a safety precaution. One can never be too careful. Joe - -- Registerd Linux user #443289 at http://counter.li.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGKmKTiXBCVWpc5J4RAqGeAJ4je8kgRHN3JTXSKD/pLpEjNZbNRQCdGOv6 DfLbf+3GinLjp9d7rJcpfH0= =DScv -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
