View previous topic :: View next topic |
Author |
Message |
kgdrenefort Guru
Joined: 19 Sep 2023 Posts: 312 Location: Somewhere in the 77
|
Posted: Fri Apr 19, 2024 12:55 pm Post subject: Silly idea: Web server with a GUI as an every-day client |
|
|
Hello,
Today I open this topic because I'll soon achieve a project of mine:
TL;DR: I make a server with a GUI to also use it as a main desktop, saving energy (no cheap anymore!) and I'm aware that is not the best move when it's about security, I did not set yet the Hardened profile and I'm seeking any good advice for such project.
Long story: I host a very few websites, running on Raspberry Pi OS (known as Raspbian in the ol' time), actually an old stable because of my current project, I do not want to waste time to upgrade an OS I won't use soon and still maintained.
I have to use another computer than my RPI4 which start to be too weak for my needs, specially: I'm hosting a french website association around neurodevelopmental disorder, and it start to be too small regarding our traffics and specially Matomo which is sweating hard with the database on such hardware.
So, I took my HP Elitebook 8560w, set Gentoo on it with SystemD and AwesomeWM as a GUI, to keep as much as possible CPU usage and memory to be eaten by """useless GUI""". Some tools would already cannibalize it as Firefox, I have to be very picky because the CPUs are weak, cores not numerous (8) and I only got 4Gb of RAM.
So far, I know this is mostly a bad idea: Each layers of code could bring bugs, waste of resources and worst of all is security. I laugh at Windows server for that matter. But here, this is no professional project, I think the worst we could had is (D)DoS. My bandwidth is crazy (5Gbs capped to 1 with my ethernet port / wire). But even a simple DoS could bring apocalypse on a such awfully weak device as Rasperry Pi 4 and it's SD card I/O of prehistoric age.
If I do this, it's simply because this laptop should be enough for both usage, if I manage to get a GUI as AwesomeWM and lightweight tool. Electricity price is huge in France, the RPI was about 5-10W, while my desktop is up to around 1000K… And the laptop 230W max. I think, even if this laptop will run all the time, I can save some energy and money if I stop using my desktop for anything that doesn't need such powerful hardware (as compilation, or game in my case).
To avoid even more wasting resource, my actual main desktop which is very powerful regarding this laptop is used as it's binhost.
I know Gentoo have a project: Gentoo Hardened, which for simplicity and ease of installation and settings is not sets yet. I'm not experienced in such things for now.
That is probably the first step: I have to get into regarding the security for server as desktop part.
I'm new to Gentoo, less than 9 months, but not to Linux (started around 2006). For security on a server, I usually do these steps:
- Close all ports that are not useful with iptables
- Make SSH awfully hard to get in for undesired scripts: fail2ban with strict rules, SSH keys with a passphrase with the longest recommended key and best cipher to use these days, remove root by settings the value AllowUsers without it as forcing key connection, etc.
- Removing undesired packages or services
Also, this laptop has obviously wifi, which was disabled by -wifi use flag, notably for networkmanager package, using only ethernet for obvious reasons. As the webcam would have to be disabled, just in case.
I do not attend to cipher the hard drive, it'll never move from it's place (my desk) and if I get robbed, honestly I do not really care at this point…
In this case, I see these very big risks of security:
- Firefox
- Discord (what an awful piece of software)
- Mail client (usually I use Thunderbird, but here it'll be Claws-mail)
- Spotify (non-free software)
- Skype (for a specific use case I can't get without, sadly)
- Whatsapp for family / friends client
I know you can run these software into a chroot and access them by typing your root password, with only missing a feature if Firefox's case: You can't open a link by clicking on it, you have to manually paste it. Who cares ! :)
But otherwise, I see a *lot* of unfree software that will be… Not the best to sets, on a server. The best workaround could be to use the web-client into firefox for Discord, Spotify and Whatsapp, but there is not for Skype, sadly.
I guess the safest way is to run these into firefox, which will be into a chroot/sandbox re-enforced, to mitigate any problem that would occurs.
Also, for better stability, Firefox will be kept to ESR, since last release are more likely to bring bugs or worst, security hole.
Virus: I'll add ClamAV and sets it to run a few times a day, or each day and report any problem. I'm also considering to use RKHunter or such tools.
Firefox: Will containerize this big piece of code, specially if it runs some weird stuff as Discord or Spotify. I also wants to remove any proprietary blobed stuff for DRM, despite I'll lose some functionality, I do not think I'll be much bothered.
Skype: I'll, maybe, use the Android version on my phone instead of installing that.
Graphic card and drivers: Not supported by the last NVidia and proprietary driver, anyway this computer will not be intended to play games, merely plays HTML video… So it's nouveau driver, which will also avoid to use the legacy and unmaintained driver, which will be stupid to use regarding security anyway !
Kernel: Will try to remove as most as possible anything that is not necessary, as wifi, bluetooth, webcam, any modules that is not in use. As said, less layers is the best in my case, for power usage as security and bugs avoiding. That will take some times to experience this I guess, but I also think it could be worth it. And maybe, anything unfree that is not needed or has a non-important features I could avoid to have.
Ciphering hard drive: I'll, despite what I says above, probably does that… As a last step, I think. My main concern is: If I'm not at home and have to ask someone to boot it for me because it crashed / turned down somehow, it'll be hell to ask someone to type a password to uncipher root partition if it's not my fiancée. Once a year I'm not at home for around 2 weeks, that is concerning to me. If I can't SSH it, well, it's down.
Firewall: I'm used to IPTables, blocking any incoming traffic and open only what is needed. It should be simple as usual.
Protecting from unwanted connection: Fail2Ban it is for SSH as HTTP auth, with very few allowed retry and 24h long bans. Or even more, I'll have physical access to it anyway 95% of the year.
Blocking unwanted country: Let's be honest, I'll not need to be reachable from China, Russia, and more. As far as I know. From my professional and personal experience, these IPs are 99,99% of the time unwanted traffic. I know you can block country-wide range of IP, but a true attack won't be bothered by such minor protection. It's merely to avoid useless power usage to really take care of such useless HTTP request, avoiding easy (D)DoS… Etc.
Mail client: Will use for now Claws-Mail, because it's very light. Maybe I'll consider moving on Mutt for even more resource saving. My main concern is security here: Clicking on a bad link, opening a bad file from an e-mail or get rekt by HTML code into an HTML e-mail… Wondering if it also needs to be containerized. As 'litehtml' USE flag disabled, so no HTML reading of a e-mail from my desktop. I can probably, maybe, not have to pay much attention to it. I do not know.
AppArmor VS SELinux: So far as I know, SELinux is better to enhance security, but is a pain if you compare it to AppArmor. I do not know which will be the best, but SELinux seems like a 'Seek&Destroy' for all weird behavior that could occur on your system. The only time I used it was on Fedora, ages ago, it was plain hell.
In the end, the server part will have to manage theses services: HTTP, Database and PHP/Python for interactivity. It is also a project to make it a mail server with Postfix, but that is for later.
This is merely a mind stub I post here, I also realize it starts to be heavy to read and not very well formated. I'll move from this subject for now, but I'll very happy to get any advice on such matter from you peoples.
Have a nice week-end.
Regards,
GASPARD DE RENEFORT Kévin _________________ Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
Back to top |
|
|
BurningMemory n00b
Joined: 17 Jan 2023 Posts: 54
|
Posted: Fri Apr 19, 2024 2:20 pm Post subject: |
|
|
Hello there.
Considering your tight hardware limits, this will be very difficult to achieve with the amount of ram
modern apps tend to consume. Though, I have an idea - virtualization server. You can set up the server
with the most minimal approach and run all your software in a VM via libvirt for example.
The way to do this would be to set up libvirt to use VNC as graphics and then optionally do SSH tunneling.
Another thing you can also take a look at is musl libc. It's very minimal as well.
As for your other points:
Running an antivirus will only bring overhead and honestly if you set everything up properly
it's not necessary to have it.
Using nouveau is pretty much fine since it will only be used to render the tty,
also if someone does manage to get into your server, for some reason,
you'll have a much bigger problem to worry about than nouveau.
Removing bloat from the kernel is a great idea. For the most part just enable the drivers your
hardware actually needs and disable anything you don't need. Of course, you probably won't get it
right from the start. So, just explore the configuration category by category, item by item, read the
description, etc.
Encryption on your drives may not be really needed, it depends on how and where you store
sensitive data (if you do). It's a good model to run the server on an SSD (optionally encrypted)
with encrypted hard drives added into the mix and to store sensitive data only on the hard drives.
And if you're concerned you won't be able to boot the server, then just don't encrypt the system drive
Also maybe either try to get it working with TPM (don't actually know if you can do that with luks)
or just set up an encrypted partition just for sensitive data.
Worrying about distributed DoS attacks isn't very useful in your case.
That kind of attacks usually hit big targets, they're not directed at single servers
but at whole networks.
SELinux is a great security module. The only downside it has is, perhaps, complexity.
And even though technically SELinux can be bypassed, it is worth looking into.
If you're going to try to set up virtualization as I suggested, SELinux with the strict policy
can be a nice touch. But again, in your case it might be overkill. You do you.
Or if you're planning to literally use the laptop both as a server and a daily driver machine,
then I don't know, I guess you could try to containerize some things.
You have a nice weekend too :) |
|
Back to top |
|
|
kgdrenefort Guru
Joined: 19 Sep 2023 Posts: 312 Location: Somewhere in the 77
|
Posted: Fri Apr 19, 2024 3:11 pm Post subject: |
|
|
BurningMemory wrote: | Hello there.
Considering your tight hardware limits, this will be very difficult to achieve with the amount of ram
modern apps tend to consume. Though, I have an idea - virtualization server. You can set up the server
with the most minimal approach and run all your software in a VM via libvirt for example.
The way to do this would be to set up libvirt to use VNC as graphics and then optionally do SSH tunneling.
Another thing you can also take a look at is musl libc. It's very minimal as well. |
Well, I do not like the idea to virtualize, since it needs to run another computer into mine, bringing in my opinion more resource usage. While a systemd-nspawn, less secured by default than a virtual machine so far as I know, rely on your host's kernel and don't bring any much resource usage, beside running at the same time on host and the nspawn some services needed to boot, I think that is a very elegant solution to avoid resource cannabism, and allow pretty good to start/stop the whole container via systemd, all of that being built-in. Looks nice in my head at least.
But I did not think about your solution, which is not bad at all by itself. I'll reconsider this point and google a bit.
BurningMemory wrote: | As for your other points:
Running an antivirus will only bring overhead and honestly if you set everything up properly
it's not necessary to have it. |
Well, if I / we (the association) distribute file, it's kind of needed. If I want to do it the light way, I set a cron job running the scan in the middle of the night while anybody or almost would check out the website (despite these peoples, which I fall into the category, are easily night-owl… Damn brain !), so it would be the proper time to scan then backup the files.
BurningMemory wrote: | Using nouveau is pretty much fine since it will only be used to render the tty,
also if someone does manage to get into your server, for some reason,
you'll have a much bigger problem to worry about than nouveau. |
Not only TTY, but AwesomeWM as all GUI as well. But I already used this laptop with Gentoo + KDE + nouveau + firefox, hell it was god damn fine to use actually ! I first wanted to keep going on KDE, but I want the lightest of the lightest stuff when possible. KDE won't brings much to me in this settings, beside cannibalize resources.
For security, so far as I know there is some new security issue with GPU, that could lead to being hacked, and since my GPU don't support the last driver, the code is not patched against there methods, while nouveau will probably take care of that. Plus nouveau is free, always neat.
BurningMemory wrote: | Removing bloat from the kernel is a great idea. For the most part just enable the drivers your
hardware actually needs and disable anything you don't need. Of course, you probably won't get it
right from the start. So, just explore the configuration category by category, item by item, read the
description, etc. |
Oh yeah, this will be great fun. Of course the way will made me falls a lot of time, for sure, and since I couldn't validate a server that is rebooting X times a day for testing, this process has to be mastered by me way before it actually host anything in production.
Funny story aside this topic: the only time I did this was a whole night trying to setup the good parameters for a home-made Debian server. Never saw so many blue screen in my life. I succeeded in compiling and installing that kernel, patched IIRC with GRSecurity, sun was rising, bird was starting to sing and life was starting a new cycle… then I read LinuxFR.org and learn that, that night, the very same night I downloaded the Linux's source code… kernel.org got hacked.
F*** !
BurningMemory wrote: | Encryption on your drives may not be really needed, it depends on how and where you store
sensitive data (if you do). It's a good model to run the server on an SSD (optionally encrypted)
with encrypted hard drives added into the mix and to store sensitive data only on the hard drives.
And if you're concerned you won't be able to boot the server, then just don't encrypt the system drive
Also maybe either try to get it working with TPM (don't actually know if you can do that with luks)
or just set up an encrypted partition just for sensitive data. |
We do not store sensible data, the most sensible I got is the statistic of requesting the web's association pages, these stats does not even contain full IP address (234.134.x.y IIRC) and all datas are anonymized to avoid managing RGPD as we are mandatory to do so in Europe.
Actually, some things will be sensible, as configuration of the servers (duh) and my own data.
But I start to think I'll set them with a NFS running on a RPI 4 aside this server, on an external hard drive. Giving even more disk space and maybe less I/O to the SSD in use for this machine (I'm no filthy HDD user ! ).
BurningMemory wrote: | Worrying about distributed DoS attacks isn't very useful in your case.
That kind of attacks usually hit big targets, they're not directed at single servers
but at whole networks. |
It is, actually, because to make it short: This association comes from a discord's servers around the disorder I talked about, some are not always happy about moderation (which is the source of the association, also), since that said association has another Discord, we know pretty well that the few bunch of trolls we get from time to time, are coming from the primary server used to talk about these disorder, but not linked officially to the other.
It's easy nowadays, with a not-so-bad computer and a decent bandwidth to:
a/ manually run refresh on a web browser, that is no secret that it is run on a small device, with a few friends it could start to slow down the site
b/ find a script-kiddies tool to achieve that on your own connection, or even made your own if you are not a monkey, hell even an auto-clicker could achieve this
c/ never got deeper in this subject before, but that could also be someone targeting the wrong website, why not ? I already saw it in the professional field (it's another story time): A french website hosted by the company I was working for at this time was targeted because of it's name I forgot and it's content (something about religiously approved food IIRC), after a quick analysis it happened the few days after some political shaking in the middle-east, can't say anymore what was that, and by the name of the site… The conclusion was it was targeted while a more massive attack occurred on different networks, hosted website, etc. All of that to say: You can, also, take bullets for being to close or looking alike a true target. Am I paranoid ? The peoples in my head say: not enough !
I guess there will never such things as a big DDoS attack, but that still something I know as possible, not likely but not impossible. Beside I can see that the last 3 to 4 months we had even more than all 2023 year of request on the site. More popularity makes you a bigger target, in any case.
That is also a nice exercise, for me, to think ahead and trying to take care of this probably-never-happening problem.
I have time these days…
BurningMemory wrote: | SELinux is a great security module. The only downside it has is, perhaps, complexity.
And even though technically SELinux can be bypassed, it is worth looking into.
If you're going to try to set up virtualization as I suggested, SELinux with the strict policy
can be a nice touch. But again, in your case it might be overkill. You do you.
Or if you're planning to literally use the laptop both as a server and a daily driver machine,
then I don't know, I guess you could try to containerize some things.
You have a nice weekend too |
Well, it depends on what we call a container.
Virtual machine and docker (and it's alternatives) are containers.
Is a nspawn chroot ? I do not think so, it evens share the same kernel as the host, as would do a dumb-flatpak or what ever.
Yeah, I see it more like a weapozined-flatpak, having all it's libraries, parameters sets, for a sets of applications (web server, database & web interactivity). These things are pretty new to me, speaking of nspawn, I did not even knew it's existence before I was using Gentoo, which is less than a year now.
I was in fear to set a Gentoo as a server as first, seeing some bugs from time to time but it's seems more about GUI and non-critical (won't crash the machine itself, you can always get back to your GUI somehow) and mostly my lake of knowledge and experience.
I start to feel confident about my Gentoo skills, more and more, now it is a new level to reach and break into pieces.
Thanks for your answer.
Regards,
GASPARD DE RENEFORT Kévin _________________ Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54572 Location: 56N 3W
|
Posted: Fri Apr 19, 2024 9:12 pm Post subject: |
|
|
kgdrenefort,
I think you are putting the cart before the horse with your security ideas.
Just because you can do something does not mean that you should.
The first step is to define your threats. You need to do this in writing as the threats may change with time and the list will need to be updated.
With your threats listed, define the defences you will deploy. There is no point in defending against threads you don't have.
You are making a security/usability trade off here.
e.g. on a mobile device that you may leave on a bus, some degree of at rest data encryption may be a good idea. Consider the data content though. It may not be required.
On a physically secure server, the risk of at rest data falling into the wrong hands is much lower.
Assess your threats. Deploy your defences.
Always remember this too. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5036 Location: Bavaria
|
Posted: Fri Apr 19, 2024 10:42 pm Post subject: Re: Silly idea: Web server with a GUI as an every-day client |
|
|
kgdrenefort wrote: | TL;DR: I make a server with a GUI to also use it as a main desktop, saving energy (no cheap anymore!) and I'm aware that is not the best move when it's about security, [...] |
This is the first and biggest mistake. Just never do that!
kgdrenefort wrote: | - Skype (for a specific use case I can't get without, sadly) |
Many years ago (when i was not yet retired) a friend of mine was commissioned by his company (a large aircraft manufacturer) to find out what Sykpe does. His team consists of the best assembler programmers and hackers that you can possibly find ... what they found out left them with only one alternative: Skype must never be used in the company !
Today only the slides are online ... you will finde them in year 2006 of:
https://airbus-seclab.github.io/
Choose: Vanilla Skype by Fabrice Desclaux and Kostya Kortchinsky at REcon: Slides part 1 and part 2
Even if this is probably outdated, it will probably only get worse over the years ... So ... use this on a sperate machine with nothing else than this dirt program.
---
Do what @Neddy already said ... and we can give you some hints what you really need.
A hardened kernel is ALWAYS a good choice ... for a server AND a desktop machine. The same is true for a firewall: Install iptables (or nftables) on each machine - as personal FW - AND additional on your Gateway/Router machine as network firewall. AppArmor for the browser (and other desktop applications) is also a good choice. For a server I would rather recommend SELinux. Never allow an SSHD to be accessed from the Internet. If you really need remote access, do it over a VPN. fail2ban is nice but not really a protection. Blocking unwanted country is easy with using sets. Configure your mail client so that it only displays mails as text (switch off html; kmail from kde is set this way by default; you don't need ClamAV then ... this is a security hole itself and has had several BAD bugs in the past: https://www.cvedetails.com/vulnerability-list/vendor_id-8871/Clamav.html ). _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
kgdrenefort Guru
Joined: 19 Sep 2023 Posts: 312 Location: Somewhere in the 77
|
Posted: Sat Apr 20, 2024 10:53 am Post subject: Re: Silly idea: Web server with a GUI as an every-day client |
|
|
NeddySeagoon wrote: | kgdrenefort,
I think you are putting the cart before the horse with your security ideas.
Just because you can do something does not mean that you should.
|
Do you mean by that: Don't add security layers that is not needed ?
NeddySeagoon wrote: | The first step is to define your threats. You need to do this in writing as the threats may change with time and the list will need to be updated.
With your threats listed, define the defences you will deploy. There is no point in defending against threads you don't have.
You are making a security/usability trade off here. |
Well, in my case, by service:
- HTTP: Would be a NGinX using only modules needed, with CGI. It would answer request for HTML as PHP with CGI. There would be a (very) few peoples allowed to access, from my LAN, the server, to update websites. Some pages would be protected by an HTPasswd, without IP checking (sadly, I do not want to push it to hard on my users). Fail2ban will do a small part for the HTPasswd, by blocking potential bruteforce on such form.
=> I still fear to be the target of (D)DoS, but it never happened for now.
- Database: MariaDB only accessible from LAN, no remote connection. About security that will be all the basics, a strong root password, only a bunch of databases (mostly matomo) and I would be the only one to access it, locally.
=> I'm not very aware of attacks on database, beside if it is not properly protected against remote connection or SQL injection. By the way, passwords and sensible data as to be ciphered.
- Interactivity (mostly, PHP): Will makes pool for each site running with it, I did not mastered the chroot process for this service, tho.
=> The most common attacks I heard of are in, mostly, CMS and such with security hole. I guess using pool and chroot can mitigate that, plus with some control with SELinux or AppArmor is a plus in this case, I guessk.
- Remote access: SSH/sFTP would be, only local with an exception for the ~2 weeks I'm not at home. I won't set up for now a VPN but that is a good idea. Fail2Ban is mostly nice to avoid unwanted load. SSH Keys with password and only my users and another user on the LAN would be able to access.
=> So far, I only fear a big security hole (hello xz storm !) but I manage to keep it hard to access, specially from WAN.
- Users: Mostly they are visiting the website, some would maybe check the Matomo from time to time, but that's it. I'm the main user.
=> They are nice, they need my hosting, I do not allow them to see/do stuffs that they don't need. They are not a threat, so far.
NeddySeagoon wrote: | e.g. on a mobile device that you may leave on a bus, some degree of at rest data encryption may be a good idea. Consider the data content though. It may not be required.
On a physically secure server, the risk of at rest data falling into the wrong hands is much lower.
Assess your threats. Deploy your defences.
Always remember this too. |
In this case, it'll stay at home, connected to it's ethernet wire and won't even move from the desk.
As for XKCD, true, tho my head is very hard 8).
pietinger wrote: | kgdrenefort wrote: | TL;DR: I make a server with a GUI to also use it as a main desktop, saving energy (no cheap anymore!) and I'm aware that is not the best move when it's about security, [...] |
This is the first and biggest mistake. Just never do that! |
Was expecting this answer, since I'm the first one to say that, mostly. I know this is not the ideal match.
pietinger wrote: | kgdrenefort wrote: | - Skype (for a specific use case I can't get without, sadly) |
Many years ago (when i was not yet retired) a friend of mine was commissioned by his company (a large aircraft manufacturer) to find out what Sykpe does. His team consists of the best assembler programmers and hackers that you can possibly find ... what they found out left them with only one alternative: Skype must never be used in the company !
Today only the slides are online ... you will finde them in year 2006 of:
https://airbus-seclab.github.io/
Choose: Vanilla Skype by Fabrice Desclaux and Kostya Kortchinsky at REcon: Slides part 1 and part 2
Even if this is probably outdated, it will probably only get worse over the years ... So ... use this on a sperate machine with nothing else than this dirt program. |
I'll take a deep look into that link and resources, thanks.
I was expecting such tool to be awfully bad in my case, was not wrong then. Was a bit obvious.
pietinger wrote: | Do what @Neddy already said ... and we can give you some hints what you really need.
A hardened kernel is ALWAYS a good choice ... for a server AND a desktop machine. The same is true for a firewall: Install iptables (or nftables) on each machine - as personal FW - AND additional on your Gateway/Router machine as network firewall. AppArmor for the browser (and other desktop applications) is also a good choice. For a server I would rather recommend SELinux. Never allow an SSHD to be accessed from the Internet. If you really need remote access, do it over a VPN. fail2ban is nice but not really a protection. Blocking unwanted country is easy with using sets. Configure your mail client so that it only displays mails as text (switch off html; kmail from kde is set this way by default; you don't need ClamAV then ... this is a security hole itself and has had several BAD bugs in the past: https://www.cvedetails.com/vulnerability-list/vendor_id-8871/Clamav.html ). |
That is things I usually don't paid much attention on a Desktop, usually there is no running service beside SSHd that is mostly only for LAN access.
As for ClamAV I wasn't aware of that, sad. Any other suggestion to take care of files that are send on a mail server ?
I know some popular anti-virus does jobs on Linux for this kind of threat, but I do not think that are a guarantee or free (as free beer, and certainly not a freedom). But I know that is existing.
Thanks for your time.
PS : I'm asking about security because that is probably the worst part to take car of properly. I have the basics, but since it's a mix between a desktop and a server… The case is uncommon and need more attention.
And yes, I'll do that, even if it's not the best idea. As said, I'm aware of what makes it not ideal. But remember that is a non-professional project, for a very few websites, I'll not start to host dozens of websites and project. Merely 3 to 4.
Regards,
GASPARD DE RENEFORT Kévin _________________ Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54572 Location: 56N 3W
|
Posted: Sat Apr 20, 2024 1:18 pm Post subject: |
|
|
kgdrenefort,
Quote: | I think you are putting the cart before the horse with your security ideas.
Just because you can do something does not mean that you should.
Do you mean by that: Don't add security layers that is not needed ? |
Almost but not quite. You are suggesting defences before defining the threats. You may be deploying defences that are not be required and missing defences that you will need.
Incidentally, a horse does push a cart even though its placed in front of the cart. :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|