Security questions

[Calibucsfan]

So I installed Debian 8 because the security made it interesting to me.
However I suck with computers. I get lost extremely easy. Someone told me that Debian is not secure at all unless I harden it by doing this:
https://www.debian.org/doc/manuals/secu ... ian-howto/

So is this system pretty much exposed to attacks unless I do all the above? I am not trying to be lazy but I cannot seem to do anything right in the steps above. My console just gives me errors left and right.

And next, there is this:

4.2 Execute a security update

As soon as new security bugs are detected in packages, Debian maintainers and upstream authors generally patch them within days or even hours. After the bug is fixed, a new package is provided on http://security.debian.org.

So do I have to manually go to the security site and download the security update and apply it? Or can I just run sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade ??

Will running the general update commands also include newest security fixes or do I have to run separate commands for specific security updates?

[dasein]

Someone told me that Debian is not secure at all unless I harden it by doing this:
https://www.debian.org/doc/manuals/secu ... ian-howto/

Stop listening to this person.

Security is not a binary state; rather, it's a continuous trade-off between reward and risk.

So is this system pretty much exposed to attacks unless I do all the above?

No.

If you're concerned about security, the first step is to buy and deploy a "commodity" router. Your Debian machine is then invisible to the Internet. That said, not all routers are created equal; some are more secure than others. So do some research before selecting a particular unit. Units with OpenWRT pre-installed will, all things considered, present a stronger security posture out-of-the-box. Such units typically cost a bit more, but some power-shopping usually uncovers a bargain or two.

By default, a Debian installation doesn't have a whole bunch of processes willing to accept network connections. Verify that this is true on your rig. No "listening" means no incoming network vulnerabilities. (Outgoing is under your control.)

But remember, a machine that isn't physically secure isn't really secure at all.

Or can I just run sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade ??

This. Although a dist-upgrade is rarely required.

One last thought: since you seem especially vulnerable to "someone told me," take a look at the Wiki page identified in my sig as "avoid a broken install." Learn it, live it, and trust it implicitly, regardless of what "someone" tells you.

[debiman]

So is this system pretty much exposed to attacks

are you using it as a server?
did you set it up to be open to the world?

[acewiza]

So is this system pretty much exposed to attacks unless I do all the above?

No. By default (IOW, you do nothing to the system's security posture apart from installing and using the software) Debian is secure enough, for typical users.

So do I have to manually go to the security site and download the security update and apply it?

Not really. I guess the answer depends on whether or not you view clicking on a prompt requesting updates to be "manual."

Will running the general update commands also include newest security fixes...

Yes.

...or do I have to run separate commands for specific security updates?

No.

[reinob]

By default (IOW, you do nothing to the system's security posture apart from installing and using the software) Debian is secure enough, for typical users.

One thing I actually seriously dislike about debian is that whenever you install a service it is automatically enabled and started. Luckily the default configuration is generally sane security-wise, but I'd still prefer to be given the time to review and modify the configuration before starting the service.

And of course the fact that somebody else chose what to ./configure, which is usually much more than one may usually need, but that's unavoidable unless you go for a source-based distribution..

[ruffwoof]

Assuming you're running a Jessie desktop setup, temporarily add

Code: Select all

deb http://http.debian.net/debian/ jessie-backports main

to your /etc/apt/sources.list and
apt-get update
apt-get install firejail
and thereafter run firefox-esr in a jail
firejail firefox-esr
and as-is you'll be running securely enough.

Firejail (default settings) limit the browser to just your Desktop and Downloads folders, so if you want to upload or download you'll have to direct files through those folders.

[debiman]

One thing I actually seriously dislike about debian is that whenever you install a service it is automatically enabled and started. Luckily the default configuration is generally sane security-wise, but I'd still prefer to be given the time to review and modify the configuration before starting the service.

can you imagine the influx of additional forum threads "application xyz doesn't work" if it weren't so?
even for me, i'm usually happy if there are some sane defaults and it Just Works (tm) - if i want to configure, i can still do it.