I do not get ssh. Why is it more secure?
in [General Linux]
|
Prev: How to convert TrueType fonts to bitmapped fonts in Ubuntu
Next: I do not get ssh. Why is it more secure?
From: David Brown on 18 Jun 2010 03:13 On 17/06/2010 17:19, The Natural Philosopher wrote: > Kenny McCormack wrote: >> In article <hvdca3$cto$8(a)news.eternal-september.org>, >> J G Miller <miller(a)yoyo.ORG> wrote: >> ... >>> As I say, the security policy is entirely up to the individual >>> concerned and there is no one size fits all, except to >>> reiterate that too much security never hurt in any way >>> like too little. >> >> You might want to check out a recent White Paper which argues to the >> contrary. I don't have the URL handy, but Google for things like: >> "Is Security worth it?", "White Paper", "Microsoft" (Yes, it was written >> and published by MS - feel free to do the usual Unix-rant thereto). >> > > yes. > > there are many cases where too much security is no security at all. > > > case (i) It guy gets frustrated by lack of access to firm when working > at home. Installs a modem on his machine, and connects to his DDI > extension. modem scanner finds it, and hacks entire workgroup. > > case (ii) As above, but takes data home on unencrypted USB stick, > floppy, or laptop. Loses it on the train. > > > case (iii) hugely complex third party firewall crashes, so is switched > off by IT manager to allow users to actually do anything.. > > case (iv) Frustrated by being logged out of sessions after15 minutes, IT > smart guy installs automatic keyer that keeps sessions alive..over > lunch, when his desk is unattended. > > > case (v) workgroup behind massive company firewall installs a little > wifi gateway so they can use their laptops. > Another good example, especially considering the source of the paper, is: case (vi) Windows user can't understand all these popup warnings about viruses found in their emails, and cryptic messages about incoming packets or weird programs trying to connect to the internet. The easiest way to get the popups out of the way seems to be to select "Allow all" and "Don't ask me again".
From: David Brown on 18 Jun 2010 03:32 On 17/06/2010 16:33, General Schvantzkoph wrote: > On Thu, 17 Jun 2010 14:20:41 +0000, J G Miller wrote: > >> On Thu, 17 Jun 2010 13:44:39 +0000, General Schvantzkoph wrote: >>> I require RSA authentication and I use denyhosts, but I also keep my >>> pants up with both a belt and suspenders (that's for real, it's not >>> just an expression). >> >> I really do not understand people's reaction to too much security being >> overkill ie a bad thing. >> >> Too much security never hurt, as compared to too little. > Too much security typically doesn't hurt as much as too little, but there's a happy medium. > Everything has a performance cost, if something isn't adding any > additional security you might not want to use it. Denyhosts is aimed at > cutting off password guessing attacks, however of you've disabled > password access then it's not clear what it's doing for you. My ssh > server is a dedicated machine so I figure the cost of denyhosts is > essentially free so I run it anyway with the hope that it will at least > discourage attackers from trying something else. > It's not normally the performance cost that is the issue - most modern hardware is too fast for things like encryption to be a significant performance cost. The real cost is in usability, and maintenance time (including configuring the stuff, trouble-shooting, modifying it, training administrators, etc.). From a users' viewpoint, the lower the security the better. Every lock, key and checkpoint is an inconvenience and a waste of time. A user wants to have access to whatever they want, when they want. From a security viewpoint, the best security is no access at all. There is always a dichotomy here. Good security is about finding the balance to minimise the chances of a breach, minimise the consequences of such a breach, while maintaining a high level of functionality and usability - all the time trying to keep costs and time low. One essential step in this is to go for the low-hanging fruit. Putting your ssh server on a non-standard port gives enormous security points for (typically) very little cost. Using ssh instead of telnet gives at least a little extra security, and sometimes a lot of extra security (such as when used with keys and tighter control of user access), and costs nothing - it's another no-brainer. On the other hand, requiring that ssh access has to come over a vpn offers nothing extra in security, but involves configuration and administration costs - it's typically not worth doing. Where these balances lie depends entirely on the circumstances - some systems are going to be targets for attacks (either from inside or from outside) and thus need more protection because of higher risks, and some have higher value data and thus need more protection because of higher consequences of a breach. One size does not fit all. But once you have reduced the risk of a breach and the consequences of a breach to a lower total than the risks through fire, burglary, and rubber hose cryptoanalysis, your job as IT security manager is done for the day.
From: unruh on 18 Jun 2010 06:29 On 2010-06-17, David Brown <david(a)westcontrol.removethisbit.com> wrote: > On 17/06/2010 11:12, Todd wrote: >> Hi All, >> >> With this command: >> >> ssh -l todd -X 192.168.255.14 /usr/bin/VirtualBox >> >> I can run VirtualBox console on another computer with X11. >> All I get is asked for my password. >> >> I don't get it. How is this any more secure that plain >> old telnet? Both are just a user name and password. >> You could hack it the same old way other services >> are hacked by running the dictionary at them. I >> do believe OPH Crack over on the Windows side calls >> this "Rainbow tables". A dictionary attack on passwords is difficult if you choose reasonable passwords Ie, greater than 8 letters, and proper password choice. If you use "a" as your password, they yes, password guessing it easy. Also ssh enrypts all data, includeing password exchange. >> >> I ask this because I will be needing to open SSH (port 22) >> for a vendor to get in on. And, well, I just don't get >> the advantage of ssh over anything else. Think about it. >> > > Arrange with the vendor to use a non-standard port. If you open port 22 > to the world, you'll get lots of unwanted attempts at breaking in. If > you put your ssh server on port 12345, it will be free from attacks. No. But it might make it more difficult. If you have a specific enemy ( rather than someone in Ulan Battor trying stuff on your random machine) then weird ports will be of no help. > >> What am I missing? Is there a way to tighten ssh up? Use decent passwords.
From: Maxwell Lol on 18 Jun 2010 07:00 David Brown <david(a)westcontrol.removethisbit.com> writes: > case (vi) Windows user can't understand all these popup warnings about > viruses found in their emails, and cryptic messages about incoming > packets or weird programs trying to connect to the internet. The > easiest way to get the popups out of the way seems to be to select > "Allow all" and "Don't ask me again". Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/ has an excellent talk on security and usability - he presented it at DEFCON last year. One of the truisms: if there's a checkbox that says "check here so you don't see this boix again" - it will be checked.
From: Maxwell Lol on 18 Jun 2010 07:05
unruh <unruh(a)wormhole.physics.ubc.ca> writes: > A dictionary attack on passwords is difficult if you choose reasonable > passwords Ie, greater than 8 letters, and proper password choice. If you > use "a" as your password, they yes, password guessing it easy. > Also ssh enrypts all data, includeing password exchange. Well, if the application was dumb, and allowed unlimited guessing, then brute force password cracking can succeed even if a hard-to-guess password is chosen. |