I do not get ssh. Why is it more secure?
in [General Linux]
|
Prev: How to convert TrueType fonts to bitmapped fonts in Ubuntu
Next: I do not get ssh. Why is it more secure?
From: Keith Keller on 17 Jun 2010 15:15 On 2010-06-17, The Natural Philosopher <tnp(a)invalid.invalid> wrote: > F. Michael Orr wrote: > >> If one were serious >> about compromising an organization, then all one would have to do would >> be to set up a man in the middle router, which would silently capture all >> traffic to/from a site. If this traffic were not encrypted, this would >> be a problem. > > All? that's already a very very hard thing to do with most routers. > > And not something to be done without ISPs explicit knowledge and consent. Exactly--it's relatively straightforward to simply compromise someone on the inside, who you then get to dump the traffic for you. Do you trust all the people who work at every ISP between you and your ssh server? Why are you so opposed to ssh when it's barely any more overhead than telnet, and has many more features? You mentioned the hammer-nail analogy in another post, but I'd counter that ssh is not a hammer, but a swiss army knife--it does a lot of small tasks in a very handy way. --keith -- kkeller-usenet(a)wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
From: Keith Keller on 17 Jun 2010 15:20 On 2010-06-17, Kenny McCormack <gazelle(a)shell.xmission.com> wrote: > > You might want to check out a recent White Paper which argues to the > contrary. I don't have the URL handy, but Google for things like: > "Is Security worth it?", "White Paper", "Microsoft" (Yes, it was written > and published by MS - feel free to do the usual Unix-rant thereto). "So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users", by Cormac Herley A link to the paper is at his MS site: http://research.microsoft.com/en-us/people/cormac/ It's an interesting paper, but it's a little light in the mathematics. --keith -- kkeller-usenet(a)wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
From: David Brown on 17 Jun 2010 16:40 J G Miller wrote: > On Thu, 17 Jun 2010 15:55:42 +0200, David Brown wrote: > >> The iptables rules control the incoming traffic, and >> limit it to a particular source address if you want. Why would you >> bother repeating the same rules again? > > If the filtering for outside traffic is done at the router, > then you may not want to allow all hosts by default inside > the network to ssh into that machine. > I was assuming the iptables rules were on the same machine as the ssh server. If not, and if you see other machines on the same net as a risk, then yes it makes sense to limit access to the ssh server by ip address. Whether you do that by a local iptables rule or a hosts.allow rule is a matter of taste. > The best security model is not one where everything is open > and then you lockdown the undesirables, but the other way > around where everything is locked down and then only open up > those things which you wish to allow. > True enough. And it's also important to have layers of security at different levels. I was objecting to what I saw as duplications - the same security control in two different ways at two different places, which won't block any more attacks but will still mean twice the maintenance and twice the troubleshooting when something goes wrong. >> A vpn doesn't add anything in security over the >> ssh connection. > > Two points > > 1) with VPN you have the VPN port open rather than the ssh > port which will of course stop ssh drive by attempts. > You stop ssh drive-by's by using a non-standard port if you can. Connection rate limiting is also very useful. > 2) with VPN you can revoke a certificate thereby stopping > further access from the user with that certificate > And with ssh you can change the user's password or delete their public key. A vpn can certainly add convenience - I just don't think it adds security. When I want to access the company servers from my home network, I have two paths. I can ssh into a relay machine, and ssh on from there to the target machine (perhaps using port forwarding). Or I can connect my vpn and then ssh directly to the targets. I don't think the second method is more secure, but it is a step less if I am wanting to connect to several servers. >> Use public/private key access (perhaps also with >> passwords) for the ssh access if you want. > > I completely agree that ssh with keys exchange only > as the means of authentication is the best use of > ssh and in general provides adequate security > even over the Internet.
From: AZ Nomad on 17 Jun 2010 19:02 On Thu, 17 Jun 2010 23:35:52 +0100, The Natural Philosopher <tnp(a)invalid.invalid> wrote: >AZ Nomad wrote: >> On Thu, 17 Jun 2010 02:12:25 -0700, Todd <todd(a)invalid.com> wrote: >>> Hi All, >> >>> With this command: >> >>> ssh -l todd -X 192.168.255.14 /usr/bin/VirtualBox >> >>> I can run VirtualBox console on another computer with X11. >>> All I get is asked for my password. >> >>> I don't get it. How is this any more secure that plain >>> old telnet? Both are just a user name and password. >> >> With telnet, anybody watching packets going over our network can see >> your password in the clear. >> >That's precisely nobody in any modern network. bullshit.
From: Keith Keller on 17 Jun 2010 19:03
On 2010-06-17, The Natural Philosopher <tnp(a)invalid.invalid> wrote: > Keith Keller wrote: >> >> Exactly--it's relatively straightforward to simply compromise someone on >> the inside, who you then get to dump the traffic for you. > > You have to be joking. > > Its got to be worth more than the rest of their IT career for a start. That's about money, not about ease. If you have enough money (which might be less than you think) it's not difficult to find someone who can be bought. (yes, it was a bit of a joke, but the point still stands, that people are the weak link in almost any security situation) >> Why are you so opposed to ssh when it's barely any more overhead than >> telnet, and has many more features? You mentioned the hammer-nail >> analogy in another post, but I'd counter that ssh is not a hammer, but a >> swiss army knife--it does a lot of small tasks in a very handy way. > > I'm not opposed tpo it, I am opposed to the stupidity of people who > think it makes any difference to anything in the real world. So what if it does or not? The additional overhead above telnet is minimal. It's not like you're asking users to carry an OTP card, which would create a lot more work for them. The amount of effort to use ssh (with password) and telnet is the same, so why not use the one that's more secure (even if just barely)? > Clearly they have no clue about REAL security, but are just [parroting > technobabble for the sake of it. ''Real'' security is taking whatever measures one deems reasonable. It certainly does not seem reasonable to me to recommend telnet over ssh in 99% of situations where you need some sort of shell access to a remote host over IP. Even a 486 or the various consumer wifi routers have enough CPU to do ssh encryption fairly easily. (I do have some APC PDUs where ssh actually is painfully slow, so I might see telnet as a better alternative there, as one example.) --keith -- kkeller-usenet(a)wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information |