PHWinfo - Afficher un message

08/10/2006, 01h35

Michael Heiming <michael+USENET@www.heiming.de> writes:

> In comp.security.ssh Unruh <unruh-spam@physics.ubc.ca>:
>> Randy Yates <yates@ieee.org> writes:
>
>>>Folks,
>
>>>Forgive the OT nature, but I'm dying to bounce this off of some
>>>reputable and knowledgable people in security, and I think this
>>>group is rich in such members.
>
>>>The problem of being owned, hacked, kiddied, yada-yada-yada is
>>>so common nowadays I was thinking of ways to at least detect
>>>such situations and came up with this.
>
> [..]
>
>> A far far better idea is to run an OS that is not so subject to "being
>> owned, hacked, kiddied, yada-yada-yada". You are trying to provide
>> protection at the worst possible point, instead of the best.
>
> Indeed, this was my first thought about the "problem" I can't
> really see. Since this was posted to css, I am presuming somehow
> owned through ssh?

Not that I can detect. It's just that I'm not ever sure.

> - Disable direct root logins, use 'su/sudo'.

Done.

> - Deny ssh logins other then from trusted systems/networks

That defeats the purpose of ssh and my need. I want to be able
to login from potentially unkown systems/networks.

> - Allow keylogin only over public networks

Again, I can't always predict where I'll be loging in from.

> Another idea would be to run sshd on another port this obfuscates
> malicious scripts at least.

Done.

> Or you could send your system a mail
> and let it configure through procmail to open sshd to a certain
> IP you just send?

I had thoughts along those lines, but hadn't gone quite that far.

No, I don't think I'm owned. I just hate the idea of it ever happening,
and like I said in an adjacent post, I don't see that you can ever
guarantee it won't without using a physically and logically separate
system.
--
% Randy Yates % "Maybe one day I'll feel her cold embrace,
%% Fuquay-Varina, NC % and kiss her interface,
%%% 919-577-9882 % til then, I'll leave her alone."
%%%% <yates@ieee.org> % 'Yours Truly, 2095', *Time*, ELO
http://home.earthlink.net/~yatescr

08/10/2006, 01h35	#1
Randy Yates Messages: n/a Hébergeur:	Re: OT: security device Michael Heiming <michael+USENET@www.heiming.de> writes: > In comp.security.ssh Unruh <unruh-spam@physics.ubc.ca>: >> Randy Yates <yates@ieee.org> writes: > >>>Folks, > >>>Forgive the OT nature, but I'm dying to bounce this off of some >>>reputable and knowledgable people in security, and I think this >>>group is rich in such members. > >>>The problem of being owned, hacked, kiddied, yada-yada-yada is >>>so common nowadays I was thinking of ways to at least detect >>>such situations and came up with this. > > [..] > >> A far far better idea is to run an OS that is not so subject to "being >> owned, hacked, kiddied, yada-yada-yada". You are trying to provide >> protection at the worst possible point, instead of the best. > > Indeed, this was my first thought about the "problem" I can't > really see. Since this was posted to css, I am presuming somehow > owned through ssh? Not that I can detect. It's just that I'm not ever sure. > - Disable direct root logins, use 'su/sudo'. Done. > - Deny ssh logins other then from trusted systems/networks That defeats the purpose of ssh and my need. I want to be able to login from potentially unkown systems/networks. > - Allow keylogin only over public networks Again, I can't always predict where I'll be loging in from. > Another idea would be to run sshd on another port this obfuscates > malicious scripts at least. Done. > Or you could send your system a mail > and let it configure through procmail to open sshd to a certain > IP you just send? I had thoughts along those lines, but hadn't gone quite that far. No, I don't think I'm owned. I just hate the idea of it ever happening, and like I said in an adjacent post, I don't see that you can ever guarantee it won't without using a physically and logically separate system. -- % Randy Yates % "Maybe one day I'll feel her cold embrace, %% Fuquay-Varina, NC % and kiss her interface, %%% 919-577-9882 % til then, I'll leave her alone." %%%% <yates@ieee.org> % 'Yours Truly, 2095', Time, ELO http://home.earthlink.net/~yatescr