You are here

Self-managed security

If you have a self-managed machine, it is your responsibility to ensure that it is kept secure against unauthorized access. This is especially important if your machine has any associated "holes" in the Informatics firewall which permit external users to have direct access to specific services you run. For example, a web server or an SSH daemon on your machine may be externally accessible. We strongly recommend that you follow these guidelines.

Keep your software up-to-date

The single most important thing you can do to ensure your machine remains secure is to keep the software up-to-date.

You should check for updates to your machine on a daily basis. Most Linux distributions (and Windows and macOS) can do this automatically, but beware that many distributions require that you review the list of updates and manually request that the updates be applied. Note that some updates, such as those for the Linux kernel, will require you to reboot your machine - you should do that immediately after you have applied the updates, to ensure that the security of your machine is maintained.

You should always use the latest release of your chosen Operating System. If you don't then you will find that support for security updates eventually becomes unavailable. Many Linux distributions make a new major release every 6 months or so (e.g. Fedora or Ubuntu). To avoid having to do a major upgrade for your machine too often, some distributions (e.g. Ubuntu or Red Hat) provide "long-term support" releases which guarantee the availability of security updates for very long periods of time. If you do not need the very latest software installed on your machine, this can be a very good way to avoid having to put too much effort into keeping your machine up-to-date.

Install anti-virus protection

If your self-managed machine is running Windows or macOS then you MUST have anti-virus protection software installed and up-to-date. The University recommends anti-virus software for those operating systems.

Limit access

You should configure your machine's remotely accessible services so that access is limited to only those people who require access. For example, if you are running a website so that you can collaborate with a group of external people, then it makes sense to use the access-control systems built in to your webserver to limit access to just those individuals. Similarly, if you know that your services will only be accessed from specific external machines, then you can limit access by hostname or IP address.

Limiting access: SSH

If you are running an SSH daemon with a firewall hole, you can easily limit access to specific users by using the AllowUsers or AllowGroups options.
You must never allow direct root logins: the PermitRootLogin option should be set to no.
The version 1 protocol is insecure and must not be supported: set the Protocol option to 2.

Typically the SSH daemon is configured via the file /etc/ssh/sshd_config. You will need to restart the daemon after making any changes. See the manual page for sshd_config for full details.

Limiting access: Apache web server

The Apache project provides a good page of Security Tips on their website, and we recommend that you spend some time reading them. The Apache web server provides various mechanisms for authentication and authorization. The most straightforward is to use "Basic Auth" - there is a good howto which covers the essential details.

Run a firewall

You should consider running a local firewall to limit access to only the specific services you wish to expose to the outside world. On Linux this is usually done with firewalld or iptables. Some Linux distributions (e.g. Fedora or Redhat) have a firewall installed by default, and provide simple tools with graphical interfaces which make configuring a firewall reasonably straightforward.

Encryption

The University requires encryption of personal devices. Scroll down that page to find practical help.

Information Security

We recommend that you read the University's Information Security site.

Last reviewed: 
13/01/2023

System Status

Home dirs (AFS)
Network
Mail
Other services
University services
Scheduled downtime

Choose a topic