August 18, 2005

Best practices for the Linux home office, part 2

Author: Corinne McKay and Daniel J. Urist

Last time we began talking about using Linux in a small office by discussing what to look for in hardware and the operating system. Once you've settled on your base system, it's time to connect it to the Internet, and that brings up concerns about your systems' security.

Linux owes much of its growing popularity to its reputation for good security; but just as the threats to your computers' security rapidly evolve, maintaining the security of your systems is an ongoing process. The overriding principle of security is to "fail closed," or turn things off by default. If you don't need a service running, turn it off; if you don't need a firewall port open, close it; if you don't need a piece of software, remove it. Above all, good security is a matter of good hygiene.

First and foremost, you should immediately install any security updates as soon as you've installed your operating system. You should also automate security updates. Most vendors provide simple command-line tools for this, such as APT, yum, and up2date, that you can run periodically from cron, the standard Unix scheduling tool.

You should shut down and remove any services (daemons) that you don't need. This will also conserve resources, and your machine will boot faster. Confusingly, different distributions use different tools for managing services. For command-line tools, Debian and Ubuntu use update-rc.d or rcconf, while Fedora uses chkinstall. There are also GUI tools available. Ksysv, included in the KDE window manager, and the GST RRunlevel Editor, included with GNOME, will work on most major Linux distributions except SUSE, which has its own runlevel editor called YaST. While the generic GUI tools will work on Fedora and Mandrake, Fedora has its own tool called redhat-config-services, and Mandrake's is called DrakXServices.

If you're not sure whether you need a given service, shut it off and see what happens. It should be easy to turn it back on again using the appropriate tool for your distribution if you need it. Also, reexamine which services are running after software updates, since occasionally updates may turn on services that you thought you disabled.

Many distributions allow you to configure a basic firewall at installation time, although these tools don't usually allow for fine-grained control. You should strive to make your firewall configuration as restrictive as possible, since it's your first line of defense against most attacks.

In our home office, the firewalls on our machines allow access from our internal network but deny access from our DSL router or from anywhere else. Be particularly wary of installing and using any applications that require opening incoming ports, such as peer-to-peer or voice over IP applications. Although the applications may have stellar security histories, opening any incoming ports on your firewall makes your machine more vulnerable to attack. If you must open incoming ports, consider installing an intrusion detection system, such as Snort.

Lastly, remove any software packages that you don't use. This gives attackers fewer options and will reduce the size of your backups. For instance, if you don't need to emulate the French Minitel system, you don't need the xtel package that comes with Debian.

Removing unused packages isn't always easy, since a typical installation includes more than a thousand packages, many of which are interdependent. Fortunately, modern package management utilities like APT and yum, can handle this for you. Just as when you install packages, these tools can resolve all dependent packages and uninstall them as well.

You can start by removing major suites of applications that you don't use. For example, if you don't need a relational database management system, such as PostgreSQL or MySQL, remove it. Likewise, remove any Web servers, such as Apache, that you don't need. To remove unused single packages, tools such as Debian's deborphan are extremely helpful.

Choosing an ISP

These days, a broadband Internet connection is essential for the home office. Unless you need to invest in a high-speed (and expensive) T1 connection, your best options are digital subscriber line (DSL) and cable. In remote or mountainous areas, wireless broadband and satellite access may be available, but are often more expensive than other methods.

Follow two basic guidelines when choosing an ISP: Don't immediately go with the cheapest option, and look for a Linux-friendly ISP.

A cheap ISP isn't necessarily bad, but some features that a home office absolutely needs, such as 24/7 human tech support by experts, aren't always available at rock-bottom rates. While a good ISP may not support Linux explicitly, it should be willing to at least take a stab at it. In our case, we ran into a problem when we moved and needed to install a DSL modem at our new house. The modem, ordered through our local phone company, arrived with an installation CD for Windows and Mac but no installation instructions for Linux. Fortunately, our ISP helped us install and configure the modem through a Web browser interface in only a few minutes. Had we not screened the ISP for its willingness to help us with Linux-related issues, this might have taken an inordinate amount of time, or resulted in us choosing another method of Internet access. Often the best way to choose a Linux-friendly ISP is to get a recommendation from another Linux user in your area, or from your local Linux users group. Like the corner hardware store, smaller local or regional ISPs frequently provide the best customer service, if not absolute rock bottom rates.

Once you have some names of ISPs, call and ask a few questions. What are your ISP's backup policies? For instance, can you ask for files to be restored from your ISPs backups if you need them? This is most relevant if you use your ISP for Web hosting or for Web-based email access. Find out if they have multiple upstream Internet backbone providers, or at least a backup provider in the event of an emergency. We learned to ask about this the hard way after our ISP of many years went completely dark for several days following a contract renewal dispute with its sole Internet backbone provider.

While cable and DSL companies will fight over which technology is cheaper, more robust, easier to install, or faster to use for uploads or downloads, actual performance depends on where you live and which ISPs provide access in your area. The main difference between cable and DSL service providers is actually not technical. For historical reasons in the US, the existing telephone infrastructure over which DSL runs must be available to any ISP that wants to offer DSL service, while a cable company may select which ISPs may offer cable Internet service using its infrastructure. This results in much greater competition between DSL ISPs than exists between cable ISPs. For your business, reliability and customer service are the key elements to consider when choosing an ISP. Some ISPs may offer business packages that include formal service level agreements (SLA), an option worth considering if you need guaranteed bandwidth and/or guaranteed response time for problems.

Cable Internet access currently has a higher theoretical bandwidth than DSL, but actual performance is usually quite similar, since cable users share a network segment with anyone else in their neighborhood who has cable Internet. The shared network segment has been a security concern, since other subscribers on your segment can see your network packets. The DOCSIS standard has addressed this issue by encrypting traffic between your computer and the ISP. However, you're still on a shared network, which theoretically makes you more vulnerable to attack.

DSL access isn't available everywhere, and there's no easy way to tell if your house is eligible; you'll have to call either your ISP or your local phone company. It is sometimes impossible to tell how fast your DSL connection will be until you try it, since your actual speed depends on how far your house is from the central telephone company office. On the upside, DSL is relatively simple to install yourself, and assuming you have a phone jack in your office, it shouldn't require any new hardware besides a modem. Since cable jacks were most frequently installed in the living room or master bedroom, cable users may need to have a jack installed in the room used as the home office.

Whatever Internet access method you choose, here are a few caveats. First, read your user agreement when you sign up for service. Both cable and DSL providers sometimes restrict how many computers you can run off your connection, and whether you can run a server at all. Some providers also reserve the right to bill you an increased amount or automatically raise you to a more expensive service plan if you exceed a specified bandwidth limit. Further, some providers insert a disclaimer in the user agreement that the service is intended for personal and recreational use only and should not be depended on for critical business communications. In this case, the provider frequently offers a more expensive business package, sometimes with a formal service level agreement. If your business can't run without Internet access, it's important to choose an ISP that offers a backup method of accessing the Internet if your broadband connection goes down. In most cases, this comes in the form of a certain number of dialup hours per month.

Next: Disk storage tips

Click Here!