You are here

Self-managed security

Printer-friendly versionPrinter-friendly version

If you have a self-managed machine then it is your responsibility to ensure that it is kept secure against unauthorized access. This is especially important if your machine has any associated "holes" in the Informatics firewall which permit external users to have direct access to specific services you run. For example, a web server or an SSH daemon on your machine may be externally accessible. We strongly recommend that you follow these guidelines.

Software

The single most important thing you can do to ensure your machine remains secure is to keep the software up-to-date.

You should check for updates to your machine on a daily basis, most Linux distributions will do this automatically but beware that many distributions require that you review the list of updates and manually request the updates be applied. Note that some updates, such as those for the Linux kernel, will require you to reboot your machine, you should do that immediately after you have applied the updates to ensure the security of your machine is maintained

As well as applying updates on a daily basis you should always use the latest release of your chosen Operating System. If you do not then you will find that support for security updates eventually becomes unavailable. Many Linux distributions make a new major release every 6 months or so (e.g. Fedora or Ubuntu). To avoid having to do a major upgrade for your machine too often some distributions (e.g. Ubuntu or Redhat) provide "long-term support" releases which guarantee the availability of security updates for very long periods of time. If you do not need the very latest software installed on your machine this can be a very good way to avoid having to put too much effort into keeping your machine up-to-date.

Anti-virus protection

If your self-managed machine is running either of the Microsoft Windows or Apple Mac operating systems then you MUST have anti-virus protection software installed and keep it up-to-date. The University of Edinburgh Information Services provides free anti-virus software for those operating systems.

Access controls

You should configure the remotely accessible services you run on your machine so that access is limited to only those people who require access. For example, if you are running a website so that you can collaborate with a group of external people then it makes sense to use the access-control systems built in to your webserver to limit access to just those individuals. Similarly, if you know that your services will only be accessed from specific external machines then you can limit access by hostname or IP address.

1. SSH

If you are running an SSH daemon with a firewall hole you can easily limit access to specific users by using the AllowUsers or AllowGroups options. Also, you must never allow direct root logins, the PermitRootLogin option should be set to no. The version 1 protocol is insecure and should not be supported, set the Protocol option to 2. Typically the SSH daemon is configured via the file /etc/ssh/sshd_config, you will need to restart the daemon after making any changes. See the manual page for sshd_config for full details.

2. Apache

The Apache web server provides various mechanisms for authentication and authorization. The most straightforward is to use "Basic Auth" - there is a good howto which covers the essential details.

Firewall

You should consider running a local firewall to limit access to only the specific services you wish to expose to the outside world. On Linux this is done with iptables. Some Linux distributions (e.g. Fedora or Redhat) have a firewall installed by default and provide simple tools with graphical interfaces which make configuring a firewall reasonably straightforward.

Encryption

There is a College policy on encryption of personal devices. Scroll down that page to find practical help.

Further reading

We recommend that you read the Information Services Information Security site.

Last reviewed: 
20/03/2017

System Status

Home dirs (AFS)
Network
Mail
Other services
Scheduled downtime

Choose a topic