Douglas Allan Tutty wrote in Article <[EMAIL PROTECTED]> posted to gmane.linux.debian.user:
> On Mon, Apr 23, 2007 at 01:23:00AM -0700, Paul Johnson wrote: >> Douglas Allan Tutty wrote in Article <[EMAIL PROTECTED]> >> posted to gmane.linux.debian.user: >> >> > If I have two boxes, with two users, linked by ethernet and one box is >> > on dial-up to the ISP, with nothing listening on external ports except >> > the ntp daemon, what is a reasonable stance on security? >> >> Probably, yes. > ?? It never hurts to have a border router between your network and the Internet, with only the ports you intend to use forwarded to the appropriate server. >> > Given that anyone who breaks into the house will have physical access >> > to the consoles anyway, do I need a whiz-bang long root password, >> > strong passwords on the regular uses, and all the other hypervigalance? >> >> Yes. It's not necessarily what's on the machine, but how it's resources >> can >> be abused. Most spam is sent from compromised systems of various types. >> > > But how does a strong password protect against a physical attack on the > computer? If I find there's been a break into my home, I'll assume that > they got into the computer. It doesn't. Still, if someone manages to find a way into your system, you should make it hard for them to escalate privileges. >> > If ssh isn't even listening on external interfaces, does it matter if I >> > allow root to ssh (useful for rsyncing backups between the boxes)? >> >> I would recommend against allowing root ssh just in case. It's not that >> hard to sudo anyway. > > But then how do I rsync the backups? For example, if I make it so that > group adm can read everything, and I'm in group adm, should I just rsync > it with my user name? OTOH, doesn't having group adm able to read the > backups cause a decrease in security? If someone then gets adm access, > they can read everything in the backups. rsync and ssh aren't the same, so I'm a little confused where you're coming from here. -- Paul Johnson Email and IM (XMPP & Google Talk): [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]