On Wed, 20 Jan 2010, Edward Ned Harvey wrote: >> Saying "run a server OS or you will get hacked" seems to be just plain >> wrong. The desktop version of any distro can be tightened down to the >> same spec as the server version. Also implying that by running a server >> version out of the box will make you immune from hackers and other >> exploits is misleading at best. > > Admitted, my statement was a little dramatic. In no way did I mean to imply > the server version of an OS would make you immune to attacks ... I only > meant to say you don't have a prayer if you don't at least start with the > right starting point. > > I don't believe you can tighten down the desktop version. Uninstall the > GUI. Remove X11 and gnome and anything else that's not necessary. I could > be wrong, but I don't think it can be done. I stand by my statement, > rephrased to eliminate any implication that the "server" version of an OS > would provide any immunity. Run a desktop OS exposed to the Internet, and > you're asking for trouble.
the key here is 'exposed to the network' modern desktop distros are pretty locked down and don't have lots of ports open to the network the way they used to be a few years ago. > The first rule of hardening an Internet-facing OS is to remove all > unnecessary services and packages (ideally remove them, not just disable > them), and configure your firewall to block all unnecessary traffic. Use > strong passwords, disallow login as root, and if possible, disallow logins > of any kind by any user account. I agree that most modern distros have lots of unnecessary things running (be they a server or desktop distro), but they are all blocked. most desktop distros do block logins as root. as for disallowing logins from any user account, if you do that, how can you manage the system (and saying that you ssh into it doesn't work, ssh is a login, and you said you want to disable all logins) > When you install a "server" version of an OS, many of the above are already > completed by default. Particularly the minimal selection of packages, and > the tight security policies. When you install a "desktop" version of an OS, > a few of those things might be default (disallow root login), but you > certainly have tons of packages and services enabled that should be disabled > and ideally removed. I agree that it's best to not have services installed that aren't needed, but nowdays the difference between a 'desktop' and a 'server' is a matter of degree, not a matter of kind. the desktop and server versions of a distro have the exact same package management tools on them, the packages have the exact same dependancy declarations, so really the only difference between the two is the packages installed by default. David Lang _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
