Rich Shepard wrote: > On Sat, 27 Sep 2014, Richard Owlett wrote: > >> I have read Debian security info suggesting that all unnecessary >> daemons/etc be deleted. > > In every distribution you can _disable_ services. Unlike the Microsoft > world you don't need to delete them. Just change the mode to remove the > executable permissions (chmod a-x <filename>) and it will no longer be > running when you next turn on your system.
Its more a philosophical than strictly technical requirement. Debian developers are *POWER* users and presume everyone has terabyte storage, multi GHz multi-processors, and massive bandwidth. I take "small is ultimate elegance" in the other extreme. That my motivation for investigating debootstrap and multistrap. > >> I have at least three distinct use cases: >> 0. for all cases - no known need for any "server" re internet >> (poorly phrased) > > So, don't run any. If you are not providing services (httpd, ftpd, smtpd, > etc) to other parties you just do not bring up the daemons when the system > boots. My major problem there is where to I find a list. > >> 1. my personal system - sub-cases >> a. Maintenance mode - cf Runlevel=1 > > What sort of maintenance? You can do everything you need (other than a > distribution upgrade) in runlevel 3/4 (multiuser). > >> b. Internet - no unsolicited incoming connection >> as yet unspecified supervision of out going connections >> (cf COMODO on Windows) > > Turn off the execute bits on sshd; no one can access your network. Your > outgoing connections should be limited to your web browser and whatever you > use to get and send e-mail via your ISP. > >> c. Computer used to compute - *NO* networking _whatsoever_ >> (ME, strange? ;/ ) > > Ya know, if there are no other hosts connected to your working desktop > machine via wireless or Ethernet then you are not on a network. Consider the > folks you see working on portable computers at the local Fourbucks. They're > not networked unless they're accessing some web site via their browser. Now, > if you are "computing" and don't want any networking, shut down your web > browser. Its probably not as much of a problem in Linux, but I've had Windows programs "helpfully" call home for updates etc. > >> 2. system for a friend 1000 miles away >> a. he has BSEE but no interest in computers except as a tool >> b. his wife with a MS Education (minor in piano/organ IIRC) >> probable use - browser, email, home office apps > > Have someone closer to them work with them on hardware and OS/software > with which they feel comfortable. In an ideal world. I've known them for ~40 years and know how hard not to push. He is in an area of Upstate New York with a selection of user groups and SIGs. I was going to send him a selection of live CDs to play with. But yesterday I got an email telling me to expect his spare laptop with implied instruction of "fill 'er up". > >> 3. Church has received some computers to be used for instructional >> purposes. We have an outreach to an inner city school across the street >> and another outreach to adults with various needs. There is no networking >> infrastructure. It would be wise to actively prevent internet access if >> someone brought in a USB dongle etc. As I will likely be the one doing >> upkeep I would prefer disabling "su" and "sudo" *COMPLETELY". Required >> maintenance would be running from a "modified rescue cd". > > If you completely disable su and sudo you cannot do any system maintenance > unless you log in as root. > > To disable 'Net access do not install a wireless or other modem. Each > machine is a stand-alone unit. It does not matter what someone plugs into > the computer if there's no hardware connecting it to the outside world. I'm not quite being paranoid. I'm thinking in terms of preventing someone from using a USB Bluetooth or WiFi adapter they have brought in. > >> Am I just clueless > > No, just beginning to learn. You might consider finding one of Carla > Schroeder's fine books at your local library or book store. She has several > that are great for those learning to run and use linux. > > Rich > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
