[sf-lug] update from computer newbie

Rick Moen rick at linuxmafia.com
Fri Jul 7 13:28:13 PDT 2006


Quoting jim stockford (jim at well.com):

> You've chosen PCLOS
> http://www.tuxmachines.org/node/3677  # useful review
> http://www.pclinuxos.com/news.php  # home page

Don't forget Distrowatch:
http://distrowatch.com/table.php?distribution=pclinuxos

> As to your choices, if it were I, I'd choose
> Apache  # on GP
> BitTorrent  # if necessary for client use of bittorrent downloads
> CUPS/IPP  # unless you won't be printing anything ever
> ICMP  # sure, participate in the IP world
> Mail Server  # if needed for system admin stuff
> Open ssh Daemon  # let people in
> POP and IMAP server  # if needed for email client or Mail Server stuff

It's easy to get mixed up between client and server needs & roles; I'm
guilty of that myself, frequently.  

Jeff's list included a bunch of network daemons (services) that if
enabled, left at default settings, and not firewalled off would be 
usable by the general Internet public from remote locations.  Each such
service your machine advertises to the public is a potential point of
security attack by bad guys (not to mention being a waste of RAM and CPU
power, if you don't _intend_ to offer such services).  His list also
included Bittorrent, a peer-to-peer file-distribution tool, and ping aka
ICMP Echo.  Apparently, the PCLinuxOS installer prompts the soon-to-be
Linux admin as to which of those things' ports are to be blocked in the
inbound direction, prospectively, using netfilter IP/port filtering
rules.

ICMP Echo (ping) is, as the name suggests, the TCP/IP equivalent of
sonar.  ("Q: Are you there?"  "A: Yes, I'm here.")  Some rather
unfocussed paranoics prevent their systems (and routers, etc.) from
responding to incoming ping queries on a theory either that it makes
them more invisible (see Monty Python skit about "How not to be seen")
or that it prevents bad guys from flooding you with ICMP traffic.

To be blunt, this is Cargo Cult security
(http://en.wikipedia.org/wiki/Cargo_Cult#Analogues_in_modern_culture):
You're not really any less visible; the portscanners will find you
anyway.  And if they can't flood you with ICMP, they can flood you
equally well with any other variety of TCP/IP traffic.

Anyhow, the general advice I would give is:  Simply _don't run_ network
services (daemons) on your machine unless and until you actually have a
need and wish to do so.  You don't need to firewall off from the bad
guys a service that isn't running in the first place.  Don't introduce
system complications that you don't understand just because someone told
you it's "more secure".  That's ultimately about as effective as waving
a dead chicken at the problem.

> Hard to know in some cases without knowing the config
> of the system. For instance, some systems use sendmail
> to notify the root user of events (conjunct with logging).

Yes, but, for the local-mail role sendmail (or Postfix, or Exim) doesn't
_need_ to be running as a daemon.  Instead, it gets invoked in batch
fashion to process the outbound mail queue, and then the process
terminates.





More information about the sf-lug mailing list