I do not get ssh. Why is it more secure?
in [General Linux]
|
Prev: How to convert TrueType fonts to bitmapped fonts in Ubuntu
Next: I do not get ssh. Why is it more secure?
From: Kenny McCormack on 17 Jun 2010 10:59 In article <hvdca3$cto$8(a)news.eternal-september.org>, J G Miller <miller(a)yoyo.ORG> wrote: .... >As I say, the security policy is entirely up to the individual >concerned and there is no one size fits all, except to >reiterate that too much security never hurt in any way >like too little. You might want to check out a recent White Paper which argues to the contrary. I don't have the URL handy, but Google for things like: "Is Security worth it?", "White Paper", "Microsoft" (Yes, it was written and published by MS - feel free to do the usual Unix-rant thereto). -- (This discussion group is about C, ...) Wrong. It is only OCCASIONALLY a discussion group about C; mostly, like most "discussion" groups, it is off-topic Rorsharch [sic] revelations of the childhood traumas of the participants...
From: The Natural Philosopher on 17 Jun 2010 11:19 Kenny McCormack wrote: > In article <hvdca3$cto$8(a)news.eternal-september.org>, > J G Miller <miller(a)yoyo.ORG> wrote: > ... >> As I say, the security policy is entirely up to the individual >> concerned and there is no one size fits all, except to >> reiterate that too much security never hurt in any way >> like too little. > > You might want to check out a recent White Paper which argues to the > contrary. I don't have the URL handy, but Google for things like: > "Is Security worth it?", "White Paper", "Microsoft" (Yes, it was written > and published by MS - feel free to do the usual Unix-rant thereto). > yes. there are many cases where too much security is no security at all. case (i) It guy gets frustrated by lack of access to firm when working at home. Installs a modem on his machine, and connects to his DDI extension. modem scanner finds it, and hacks entire workgroup. case (ii) As above, but takes data home on unencrypted USB stick, floppy, or laptop. Loses it on the train. case (iii) hugely complex third party firewall crashes, so is switched off by IT manager to allow users to actually do anything.. case (iv) Frustrated by being logged out of sessions after15 minutes, IT smart guy installs automatic keyer that keeps sessions alive..over lunch, when his desk is unattended. case (v) workgroup behind massive company firewall installs a little wifi gateway so they can use their laptops. They don't bother to secure it. If security gets in the way of working, people will find ways around it...those ways are often less secure than without the original security. Unless you are involved in banking software, most of this stuff is total overkill. If you don't run wifi, you can pretty much consider than your keystrokes and data are private between your lan and the remote lan. Anyone capable of recording them in between will almost certainly be able to crack ssh anyway. If you run wired switches at each end of the WAN, even those (LANS) are essentially secured, unless the switches can be made promiscuous. That requires the sort of admin level access that can almost certainly hack any linux boxes there, anyway. Without needing to get names and passwords. The simplest way to hack a linux box, is to boot with a live CD, and dump whatever you want onto a USB stick. Or edit the password files to get yourself a login with superuser privileges. Or install a demon to record super users passwords. Whatever. If you have access to the machine - physical access - you have de facto root access to it. If you don't have access to it, there is almost no way you are going to be able to monitor its network traffic. Thinking that ssh gains you anything, is false security..
From: Kenny McCormack on 17 Jun 2010 13:21 In article <hvdeea$9ih$1(a)news.albasani.net>, The Natural Philosopher <tnp(a)invalid.invalid> wrote a lot of good stuff, leading up to: .... >Thinking that ssh gains you anything, is false security.. Very good points (that I snipped above). You are addressing "the other side of it" - a theme which was in the back of my mind - that is, that the "power user" types (the customers of internal IT) would get exasperated and work around the system. Just for completeness, I feel I should observe that the white paper that I cited was more about what you might call "end users" - i.e., people who just basically surf (as part of their job duties). For them, dealing with various "browser best practices" is just too much trouble. -- Just for a change of pace, this sig is *not* an obscure reference to comp.lang.c...
From: Pascal Hambourg on 17 Jun 2010 13:25 Hello, General Schvantzkoph a �crit : > > SSH is encrypted, telnet isn't. Actually there is an encrypted version of telnet, telnet-ssl.
From: Douglas Mayne on 17 Jun 2010 13:59
On Thu, 17 Jun 2010 14:33:53 +0000, General Schvantzkoph wrote: > On Thu, 17 Jun 2010 14:20:41 +0000, J G Miller wrote: > >> On Thu, 17 Jun 2010 13:44:39 +0000, General Schvantzkoph wrote: >>> I require RSA authentication and I use denyhosts, but I also keep my >>> pants up with both a belt and suspenders (that's for real, it's not >>> just an expression). >> >> I really do not understand people's reaction to too much security being >> overkill ie a bad thing. >> >> Too much security never hurt, as compared to too little. > > Everything has a performance cost, if something isn't adding any > additional security you might not want to use it. Denyhosts is aimed at > cutting off password guessing attacks, however of you've disabled > password access then it's not clear what it's doing for you. > Certain forms of attack are "nipped in the bud" by intercepting the packet before it reaches the dedicated server- say sshd, ftpd, etc. OpenSSH has a very good security reputation (being developed by de Raadt, et. al), but other servers may not fare as well when faced with malformed packets, etc. Having a protocol "in front" designed to deal with TCP/IP specifically- such as iptables, tcpwrappers, etc. is good practice, IMO, even if it is a "belt and suspenders" approach ;) > > My ssh > server is a dedicated machine so I figure the cost of denyhosts is > essentially free so I run it anyway with the hope that it will at least > discourage attackers from trying something else. > Comment inline. |