Celebrity advice on keeping your Linux desktop secure

Here:
http://www.linux.com/feature/124994
"Celebrity advice on keeping your Linux desktop secure

"One of the main reasons people move from Windows to Linux is the promise of greater security from malware on the Internet. Everyone knows you need to add extra security to try to keep a Windows desktop safe, but what do you have to do to accomplish the same thing on Linux? To answer that question, we asked a number of well-known Linux kernel hackers and a security expert for their thoughts on the matter.

"In conclusion, it's obvious that different users have different ideas of what is necessary to maintain good security on your Linux desktop, but there is a single thread of thought that's worth noting: Linux is not bulletproof, and your desktop is not safe simply because it runs Linux. Let good sense be your guide. For most of us, that means running the desktop behind a firewall and regularly applying security patches. For others, additional defensive measures may be in order.

 

Hello,
Interesting.
Cheers,
Mrk

 

Agreed. And thanks for checking it out.

Here are two celebrity end members:

"Ted Ts'o, Linux hacker extraordinaire, and an IBM employee whose latest assignment is heading up platform strategy at the Linux Foundation, has been running Linux on his desktop without a firewall for years. He says he knows more about networking and Linux platform security than the typical user, so he feels safe even without a firewall.

"Linus Torvalds takes a more cautious approach to his desktop security. Although he declined to offer security advice for others, he said his approach is to lock down everything, with multiple firewalls and strict rules. He runs a firewall on his DSL router and another on his desktop box. His development machines connect to the same LAN as his desktop box, and they live behind yet another router and firewall. He says:

""My firewall rules are also pretty anal. I basically try to not let anything in. Not even SSH; when I'm traveling, I simply cannot log into my normal machines. And I don't listen for SMTP; I use fetchmail to get it from an external machine, and there are spam-filters in place on that external machine (and I also have them on the internal one, but that's almost incidental).

""In other words, I basically try to set my machines up so that I only ever have outgoing connections, and the only incoming traffic is for connections that were literally started by me and thus expected to be fairly trusted.

 

Yes, interesting. Thanks for posting it.