You are here

Self-managed security

Printer-friendly versionPrinter-friendly version

If you have a self-managed machine, it is your responsibility to ensure that it is kept secure against unauthorized access. This is especially important if your machine has any associated "holes" in the Informatics firewall which permit external users to have direct access to specific services you run. For example, a web server or an SSH daemon on your machine may be externally accessible. We strongly recommend that you follow these guidelines.


The single most important thing you can do to ensure your machine remains secure is to keep the software up-to-date.

You should check for updates to your machine on a daily basis. Most Linux distributions will do this automatically, but beware that many distributions require that you review the list of updates and manually request that the updates be applied. Note that some updates, such as those for the Linux kernel, will require you to reboot your machine - you should do that immediately after you have applied the updates, to ensure that the security of your machine is maintained.

You should always use the latest release of your chosen Operating System. If you do not then you will find that support for security updates eventually becomes unavailable. Many Linux distributions make a new major release every 6 months or so (e.g. Fedora or Ubuntu). To avoid having to do a major upgrade for your machine too often, some distributions (e.g. Ubuntu or Redhat) provide "long-term support" releases which guarantee the availability of security updates for very long periods of time. If you do not need the very latest software installed on your machine, this can be a very good way to avoid having to put too much effort into keeping your machine up-to-date.

Anti-virus protection

If your self-managed machine is running Windows or macOS then you MUST have anti-virus protection software installed and up-to-date. The University provides free anti-virus software for those operating systems.

Access controls

You should configure your machine's remotely accessible services so that access is limited to only those people who require access. For example, if you are running a website so that you can collaborate with a group of external people, then it makes sense to use the access-control systems built in to your webserver to limit access to just those individuals. Similarly, if you know that your services will only be accessed from specific external machines then you can limit access by hostname or IP address.

1. SSH

If you are running an SSH daemon with a firewall hole, you can easily limit access to specific users by using the AllowUsers or AllowGroups options. Also, you must never allow direct root logins: the PermitRootLogin option should be set to no. The version 1 protocol is insecure and must not be supported: set the Protocol option to 2. Typically the SSH daemon is configured via the file /etc/ssh/sshd_config - you will need to restart the daemon after making any changes. See the manual page for sshd_config for full details.

2. Apache

The Apache project provides a good page of Security Tips on their website which we recommend you spend some time reading. The Apache web server provides various mechanisms for authentication and authorization. The most straightforward is to use "Basic Auth" - there is a good howto which covers the essential details.


You should consider running a local firewall to limit access to only the specific services you wish to expose to the outside world. On Linux this is usually done with firewalld or iptables. Some Linux distributions (e.g. Fedora or Redhat) have a firewall installed by default and provide simple tools with graphical interfaces which make configuring a firewall reasonably straightforward.


There is a College policy on encryption of personal devices. Scroll down that page to find practical help.

Further reading

We recommend that you read the Information Services Information Security site.

Last reviewed: 

System Status

Home dirs (AFS)
Other services
University services
Scheduled downtime

Choose a topic