Rocky Linux workstation and security

I spent five years doing backend software for identity theft protection, the last two at Experian. Needless to say, we were very security-conscious. Each developer was required to do an annual “security” in-service program. That tended to repetitive, but some things stuck.

  1. Building on some previous comments – there is no “secure system”. Instead, enumerate the threats you want to protect against (who and what) and estimate the cost of a breach. It is easy to tie yourself in knots and spend most of your time “protecting” yourself from “threats” that are irrelevant or that have negligible impact if they occur.

  2. In a home environment, physical security is as important as anything that you run on any system. If you leave a system running with the screen unlocked and an admin user logged in, any guest who wanders into your office will be at least tempted.

  3. As others have noted, your gateway/router is an important potential weakness. If you can afford it, buy another router/firewall and set up a “DMZ” (a local segment between your connection to the outside and your internal router/firewall). This is particularly important if you ever accept inbound connections from the wild. Be aware that tools like zoom, slack, teams, google, and others tend to use spare cycles on your machine to provide caching for peer-to-peer networking with nearby users. Any system that accepts inbound connections from the wild belongs in the DMZ. For example, some people host their own webservers and publish the IP address assigned to them by their ISP. That’s ok, but if you do something like that than put a “master” server inside the inner firewall, clone it to another server running in the DMZ, and use one of the many tools that continuously monitor the DMZ executables for unexpected changes.

  4. Strongly prefer key pairs over passwords, and choose ed25519 as the key type. Passwords are inherently weaker than key pairs. For those passwords that you must use, don’t EVER EVER EVER use the same password on multiple external services/apps. Use a different password for each online banking and online credit card account. That alone accounts for the overwhelming majority of breaches that happen to real consumers. Of course, use hard-to-guess passwords. Use multi-factor authentication when it’s offered.

  5. There is growing opinion among my security-oriented colleagues that running kernel-level VMs (kvm) and maintaining good backups is a big win. If you do experience an intrusion, it’s MUCH easier to clean up if you don’t have to rebuild your entire world from backup.

  6. I’ve been very impressed with a product called intezer-protect from intezer.com. It’s a suite that runs in the background and sniffs around for suspicious executables. They have a marvelous UI and use a very impressive approach for identifying and categorizing threats. That product is free for most home users.

  7. Most modern gateway/router devices provide a second “guest” access point that provides a separate local network. Use this for guests with phones, children with laptops, and so on. Keep that guest network isolated from your “main” internal network. You have so little control over all those foreign devices that it’s wise to keep them isolated from your personal jewels.

I’ve been running RL on my “main” iron with a guest VM running Windows 10 pro using VirtualBox. I plan to migrate to QEMU ASAP. I run a second RL machine as a network fileserver.

I suggest you be VERY cautious about “IOT” stuff – especially mesh routers and such. Each new network node is a potential vulnerability. The more you do over radio, the more surface you present to bad actors.

I am gradually turning my home into a local “IT Center”, with servers running RL and straightforward (in comparison to the Windoze swamp) approaches to file servers, backups, media services, and so on. AWS S3 and rsync do a much better job of offsite backup than you’ll do with any of the Windoze-oriented money-sinks like Acronis.

There is a “big picture” worth mentioning. The Linux community, and CentOS/RHEL/Fedora in particular, has been addressing security and malware for decades. There’s a lot to learn – and there’s also a rich variety of resources and tools to help you out.

3 Likes

HI @SomervilleTom,

Thanks very much for taking the time to share your experience and advice! Lots of good stuff!

“I am gradually turning my home into a local “IT Center”, with servers running RL and straightforward (in comparison to the Windoze swamp) approaches to file servers, backups, media services, and so on. AWS S3 and rsync do a much better job of offsite backup than you’ll do with any of the Windoze-oriented money-sinks like Acronis.”

I Salute you!! I have a 4 machine set up with a 5th, jaguar, which is a sand box – aka a “Kitty Litter Box” – for testing updates, new installs, etc. to make sure they they are not going to nuke my current install, but just in case there is a “sneak attack” that did not show up in jaguar, I have a complete disk backup, as well as individual directory backups, that I can roll back to if need be. While there is nothing important on any of the four machines – one is a gateway server, one is a old server that has a lot of old files I’d hate to lose, leaving only my current WS, and ocelot which is my future WS (a work in progress)… and the “Kitty Litter Box”.

My recent move has turned my WS network upside down, and have cables hanging down and running every which way. It did not help that I have a DEAD UPS. After the move I had no phone and no internet and then found I had to have my modem "upgraded ", as the old one – which worked fine in my old apt which is currently being renovated – no longer worked – there is some really OLD hard wire in my temporary digs. I’ve worked on phone systems and this stuff predates RJ 45’s. While I’m behind my ISP’s Firewall that means now I have to go in find all the stuff that I can turn off, etc. About the time I have everything purring along it will be time to move back to my newly renovated apartment, and start all over again. What FUN!!! NOT!!!