[plug] Network Opinions
Leon Brooks
leon at cyberknights.com.au
Mon Jul 18 15:44:53 WST 2005
On Monday 18 July 2005 15:26, Craig Ringer wrote:
> Don't be confident in the security of any platform if you have it
> plugged into the Internet.
Seconded. I have lots of boxes plugged into the 'net, and very few
breakins due to a fair bit of pre-emption, including:
* move services like ssh away from their default ports;
* don't give users a shell unless they need one;
* dissociate plaintext passwords (e.g. POP3) from real ones;
* mount partitions as clamped-down as possible (nosuid, nodev,
noexec, maybe even ro);
* don't run a service if you don't have to;
* listen only on internal interfaces if possible;
* run the service chrooted if practical;
* use French Foreign Legion firewalling rules ("you shall do
nothing except...");
* update early, update often;
* generally use three prophylaxies where one would do.
> Windows is *designed* around domains. Don't even try using ad-hoc
> networking, you'll go insane. Build a domain and use the features of
> the domain, such as roaming profiles (which also force profiles to be
> stored on the server) and network printing.
Agree. And do it on Samba. When it works on MS-Windows, it works well,
but when it doesn't work, debugging it can be hell on wheels. You also
get extra flexibility en passant.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Member, Perth Linux User Group
http://slpwa.asn.au/ Member, Linux Professionals WA
http://osia.net.au/ Member, Open Source Industry Australia
http://linux.org.au/ Member, Linux Australia
More information about the plug
mailing list