Security questions

If none of the more specific forums is the right place to ask

Security questions

Postby Calibucsfan » 2017-05-15 17:10

So I installed Debian 8 because the security made it interesting to me.
However I suck with computers. I get lost extremely easy. Someone told me that Debian is not secure at all unless I harden it by doing this:
https://www.debian.org/doc/manuals/secu ... ian-howto/

So is this system pretty much exposed to attacks unless I do all the above? I am not trying to be lazy but I cannot seem to do anything right in the steps above. My console just gives me errors left and right.

And next, there is this:
4.2 Execute a security update

As soon as new security bugs are detected in packages, Debian maintainers and upstream authors generally patch them within days or even hours. After the bug is fixed, a new package is provided on http://security.debian.org.

So do I have to manually go to the security site and download the security update and apply it? Or can I just run sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade ??

Will running the general update commands also include newest security fixes or do I have to run separate commands for specific security updates?
Calibucsfan
 
Posts: 1
Joined: 2017-05-15 17:02

Re: Security questions

Postby dasein » 2017-05-15 17:37

Calibucsfan wrote:Someone told me that Debian is not secure at all unless I harden it by doing this:
https://www.debian.org/doc/manuals/secu ... ian-howto/

Stop listening to this person.

Security is not a binary state; rather, it's a continuous trade-off between reward and risk.

Calibucsfan wrote:So is this system pretty much exposed to attacks unless I do all the above?

No.

If you're concerned about security, the first step is to buy and deploy a "commodity" router. Your Debian machine is then invisible to the Internet. That said, not all routers are created equal; some are more secure than others. So do some research before selecting a particular unit. Units with OpenWRT pre-installed will, all things considered, present a stronger security posture out-of-the-box. Such units typically cost a bit more, but some power-shopping usually uncovers a bargain or two.

By default, a Debian installation doesn't have a whole bunch of processes willing to accept network connections. Verify that this is true on your rig. No "listening" means no incoming network vulnerabilities. (Outgoing is under your control.)

But remember, a machine that isn't physically secure isn't really secure at all.

Or can I just run sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade ??

This. Although a dist-upgrade is rarely required.

One last thought: since you seem especially vulnerable to "someone told me," take a look at the Wiki page identified in my sig as "avoid a broken install." Learn it, live it, and trust it implicitly, regardless of what "someone" tells you.
User avatar
dasein
 
Posts: 7378
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Security questions

Postby debiman » 2017-05-17 06:12

Calibucsfan wrote:So is this system pretty much exposed to attacks

are you using it as a server?
did you set it up to be open to the world?
User avatar
debiman
 
Posts: 974
Joined: 2013-03-12 07:18

Re: Security questions

Postby acewiza » 2017-05-17 13:11

Calibucsfan wrote:So is this system pretty much exposed to attacks unless I do all the above?

No. By default (IOW, you do nothing to the system's security posture apart from installing and using the software) Debian is secure enough, for typical users.

Calibucsfan wrote:So do I have to manually go to the security site and download the security update and apply it?

Not really. I guess the answer depends on whether or not you view clicking on a prompt requesting updates to be "manual."

Calibucsfan wrote:Will running the general update commands also include newest security fixes...

Yes.

Calibucsfan wrote:...or do I have to run separate commands for specific security updates?

No.
User avatar
acewiza
 
Posts: 186
Joined: 2013-05-28 12:38
Location: Out West

Re: Security questions

Postby reinob » 2017-05-17 17:45

acewiza wrote:By default (IOW, you do nothing to the system's security posture apart from installing and using the software) Debian is secure enough, for typical users.


One thing I actually seriously dislike about debian is that whenever you install a service it is automatically enabled and started. Luckily the default configuration is generally sane security-wise, but I'd still prefer to be given the time to review and modify the configuration before starting the service.

And of course the fact that somebody else chose what to ./configure, which is usually much more than one may usually need, but that's unavoidable unless you go for a source-based distribution..
reinob
 
Posts: 491
Joined: 2014-06-30 11:42

Re: Security questions

Postby ruffwoof » 2017-05-17 17:47

Assuming you're running a Jessie desktop setup, temporarily add
Code: Select all
deb http://http.debian.net/debian/ jessie-backports main
to your /etc/apt/sources.list and
apt-get update
apt-get install firejail
and thereafter run firefox-esr in a jail
firejail firefox-esr
and as-is you'll be running securely enough.

Firejail (default settings) limit the browser to just your Desktop and Downloads folders, so if you want to upload or download you'll have to direct files through those folders.
ruffwoof
 
Posts: 105
Joined: 2016-08-20 21:00

Re: Security questions

Postby debiman » 2017-05-18 05:50

reinob wrote:One thing I actually seriously dislike about debian is that whenever you install a service it is automatically enabled and started. Luckily the default configuration is generally sane security-wise, but I'd still prefer to be given the time to review and modify the configuration before starting the service.

can you imagine the influx of additional forum threads "application xyz doesn't work" if it weren't so?
even for me, i'm usually happy if there are some sane defaults and it Just Works (tm) - if i want to configure, i can still do it.
User avatar
debiman
 
Posts: 974
Joined: 2013-03-12 07:18


Return to General Questions

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable