IIAB/Security: Difference between revisions
< IIAB
Jump to navigation
Jump to search
Line 15: | Line 15: | ||
apt-get clean (may be more comprehensive than "apt-get autoclean") |
apt-get clean (may be more comprehensive than "apt-get autoclean") |
||
* In February 2017, [ |
* In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get": |
||
apt update |
apt update |
Revision as of 14:29, 22 March 2017
This IIAB XSCE content does not reflect the opinion of OLPC. These pages were created by members of a volunteer community supporting OLPC and deployments.
Some security tips — that will become more professional as time goes on:
NOTE: Images may include keys which permit developers to log into your machine. You can disable this feature by running the following terminal command "rm -f /home/xsce-admin/.ssh/authorized_keys".
- Please confirm your passwords are secured.
- Consider the strategies below for securing your OS (downloading and semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your server, and are willing to take certain risks with packages/versions occasionally/potentially colliding.
For Debian, Raspbian (and presumably Ubuntu?) servers
- Several in our Internet-in-a-Box (IIAB/XSCE) community choose to run the following quasi-weekly:
apt-get update apt-get dist-upgrade (or "apt-get upgrade" if you do not want a new kernel etc) apt-get clean (may be more comprehensive than "apt-get autoclean")
- In February 2017, James Cameron suggested some may prefer to use "apt" instead of "apt-get":
apt update apt full-upgrade (similar to above "apt-get dist-upgrade") apt-get clean (may be more comprehensive than "apt-get autoclean")
He mentions there's a package for automated unattended upgrades, called "unattended-upgrades" for those willing who require that (and willing to bear the risks!)
- Whichever path you take above, the final step is optional, to removed "unused libraries" etc:
apt-get autoremove (some consider this last step risky, though no known IIAB/XSCE problems have resulted as of March 2017)
- In the past, "rpi-update" was also required to update firmware on RPi SD cards.
For CentOS and Fedora servers
- Run
yum -y update --security
if your system already has yum-security installed, typically viayum install yum-security
(this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services).
- Please also consider commands:
- yum updateinfo list security all
- yum updateinfo list security installed
- yum updateinfo list security available
- Many with high-bandwidth run more complete system updates, as follows:
yum update
oryum -y update
(followed byyum clean all
among those who were daring). Even if arguably this installs far too many untested and diverse updates/upgrades across the board, adding too many features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!)
Security Blowback / Survival Tips
- If you notice Wikipedia-like items are no longer accessible from http://schoolserver.lan, try running the following as root, which is similar to the http://box/admin -> Install Content -> "Restart Kiwix Server" button:
xsce-make-kiwix-lib systemctl restart kiwix-serve
- If ownCloud updates itself to 8.1 or above, users visiting http://schoolserver.lan/owncloud from unknown IP addresses may face error message "You don't have permission to access /owncloud on this server."
Fix guideline forthcoming from Tim Moody.NEW PROGNOSIS FEB 2017: Josh Dennis may move IIAB/XSCE to http://box/docs based on http://Nextcloud.com, which has stronger community support than ownCloud.