On Sat, 27 Sep 2014, Richard Owlett wrote: > I have read Debian security info suggesting that all unnecessary > daemons/etc be deleted.
In every distribution you can _disable_ services. Unlike the Microsoft world you don't need to delete them. Just change the mode to remove the executable permissions (chmod a-x <filename>) and it will no longer be running when you next turn on your system. > I have at least three distinct use cases: > 0. for all cases - no known need for any "server" re internet > (poorly phrased) So, don't run any. If you are not providing services (httpd, ftpd, smtpd, etc) to other parties you just do not bring up the daemons when the system boots. > 1. my personal system - sub-cases > a. Maintenance mode - cf Runlevel=1 What sort of maintenance? You can do everything you need (other than a distribution upgrade) in runlevel 3/4 (multiuser). > b. Internet - no unsolicited incoming connection > as yet unspecified supervision of out going connections > (cf COMODO on Windows) Turn off the execute bits on sshd; no one can access your network. Your outgoing connections should be limited to your web browser and whatever you use to get and send e-mail via your ISP. > c. Computer used to compute - *NO* networking _whatsoever_ > (ME, strange? ;/ ) Ya know, if there are no other hosts connected to your working desktop machine via wireless or Ethernet then you are not on a network. Consider the folks you see working on portable computers at the local Fourbucks. They're not networked unless they're accessing some web site via their browser. Now, if you are "computing" and don't want any networking, shut down your web browser. > 2. system for a friend 1000 miles away > a. he has BSEE but no interest in computers except as a tool > b. his wife with a MS Education (minor in piano/organ IIRC) > probable use - browser, email, home office apps Have someone closer to them work with them on hardware and OS/software with which they feel comfortable. > 3. Church has received some computers to be used for instructional > purposes. We have an outreach to an inner city school across the street > and another outreach to adults with various needs. There is no networking > infrastructure. It would be wise to actively prevent internet access if > someone brought in a USB dongle etc. As I will likely be the one doing > upkeep I would prefer disabling "su" and "sudo" *COMPLETELY". Required > maintenance would be running from a "modified rescue cd". If you completely disable su and sudo you cannot do any system maintenance unless you log in as root. To disable 'Net access do not install a wireless or other modem. Each machine is a stand-alone unit. It does not matter what someone plugs into the computer if there's no hardware connecting it to the outside world. > Am I just clueles No, just beginning to learn. You might consider finding one of Carla Schroeder's fine books at your local library or book store. She has several that are great for those learning to run and use linux. Rich _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
