Question about file permissions
in [Suse]
|
From: Chris Cox on 12 Apr 2010 19:10 On Mon, 2010-04-12 at 21:10 +0100, Ulick Magee wrote: > Chris Cox wrote: > > On Mon, 2010-04-12 at 19:10 +0200, JT wrote: > > .... > >> That's what I meant with: obfuscation != security ;-) > >> > > > > I think I can pretty much prove that most computer > > security IS obfuscation. Obfuscation is not a bad thing, > > it's used for passwords, SSL, SSH, etc. > > Obfuscation isn't the same thing as 'security by obscurity' which IS a > bad thing. Actually... again... no.... I know this is a popular thing to "say"... but it's akin to saying that goto's are bad in code. Both are often said, and both are horribly incorrect. What COULD be said is that some things are not obscured very well.... just like some would say that some do not use goto's well. > Obfuscation is like getting a better lock fitted to your front door. > Security by obscurity is like putting the key under the doormat and > hoping nobody thinks to look there. Actually bad obscurity is taping the key underneath the lock itself. Hardly obscure... way too easy. A lock is also pretty weak obscurity and easily picked in MOST cases. I know... I'm really not trying to be belligerent... just that most aren't very good at understanding security issues. Just because a phrase is popular DOES NOT make is true. If there's a thousand vicious bots attacking port 22 because it's open on your box, moving ssh to a different port is sufficient obscurity since the bots will NOT find it (they're just too dumb) and you achieve the desired results of not getting picked on so much. Ditto for making yourself non-pingable. It sufficiently obscures your box from most bots since full port scans are VERY slow on a Linux box... the bots test, mark the IP as not interesting and instead of being put on "the list"... you get to enjoy much smaller firewall log files. Security by obscurity is a USEFUL security tool and NO good security admin is going to throw out a useful tool.
From: Kevin Miller on 12 Apr 2010 19:23 Chris Cox wrote: > > Security by obscurity is a USEFUL security tool and NO good > security admin is going to throw out a useful tool. As long as it's not the only (or primary) tool in the tool box. That other OS seems to be rather short sited that way sometimes. Added into the arsenal, it's one more hoop the bad guys have to jump through which slows 'em down that much more. I figure it's sort of like spamassassin; lots and lots of little things that add up to a clean system. No one tool does it all... ....Kevin -- Kevin Miller Juneau, Alaska http://www.alaska.net/~atftb In a recent poll, seven out of ten hard drives preferred Linux.
From: Paul J Gans on 12 Apr 2010 22:28 Moe Trin <ibuprofin(a)painkiller.example.tld.invalid> wrote: >On Mon, 12 Apr 2010, in the Usenet newsgroup alt.os.linux.suse, in article ><slrnhs62lq.99l.houghi(a)penne.houghi>, houghi wrote: >>Moe Trin wrote: >>>>> 2) Use whitelisting and only allow certain IP adresses and/or ranges. >>> I consider both more desirable than the log readers. YMMV. >>I do not like the log readers nor do I like the above. > BlockHosts uses regular expressions to detect repeated probes into your > system, by trying to match the regular expressions to lines in the > system log files. > >That's from the FAQ. This is from the README > Block IP Addresses based on login or access information in system logs. >Or have you found some other application named 'BlockHosts'? >>> It's slightly less of a performance hit doing it that way than >>> individually listing each "bad" IP address in your firewall. Ever >>> think about how many CPU cycles you're wasting wading through that >>> long list of "bad" addresses? (A ten minute block time is more than >>> enough to deter the 'bot or skript kiddiez.) >>Long list? Each time I look I see about 5 IP adresses blocked (and 6 >>in the allow list) To me that is better then having a crontab running >>every 10 minutes when there was no attack, so running it useless or >>waiting 10 minutes while I recieve an attack. >The bad guy attempts a login and fails. That failure data is put into >the system logs. Blockhost (and the other similar ``tools'') looks at >the logs during it's chunk of CPU time, and on seeing the failure >message, puts a block line into /etc/hosts.deny (most log-readers) >and/or creates a host block rule in the firewall (some log-readers). >Some of these "Self Denial Of Service Attack" tools make the entry >permanent - some run a separate 'remove the rule after NN time' >function. By the way, did you check your crontabs to see that >Blockhost isn't using cron for some functions? It's in the docs. >>> White listing is the same as moving the port. It is not a substitute >>> for authentication. It reduces the number of attempts. >>With whitelisting I mean you whitelist some very few IP adresses, like >>the one from your work, one from your providers ssh server, one from >>your moms place. Not ading all the IP ranges of all European countries. >My firewall allows _inbound_ access from a /22 and two /24s "outside" >or a total of 1530 addresses, because I can't see any reason to allow >connections from you or anyone else that I haven't approved in advance, >and I really don't expect authorized users to be connecting from >Kazakhstan, Kenya, Kiribati, Korea, or Kuwait or a lot of other places >either. Lest someone from those countries object, I also don't allow >access from nearly all ISPs in North America. >>> Be careful about using high ports. Many places block _outbound_ >>> access to what they consider "non-standard" ports. At work, the >>> users are allowed access to _very_few_ ports, because management >>> has decreed that the users have no need to access those ports. You >>> may also find places put a proxy between you and the world for the >>> same reason. Choosing low port numbers OTHER THAN 20-25 and >>> such _may_ offer a better chance of connecting. >>And that is why I leave it at 22, among other reasons. >I moved it several years ago - no problems. I really don't care if >others have a problem connecting to my system. Those I want/allow >to connect know about the non-standard port. The skript kiddiez and >'bots may try to connect to 22/tcp, and as nothing is there, they >move on to some other easy target. >>To me BlockHosts is great against polution of your logfiles. >If you're happy with it - that's fine. Moving the port, and >severely restricting the address range is just as easy. In the rare >event that I need to connect from a non-pre-approved IP, I can use a >variation of port knocking - I attempt to connect to (closed) port ZZ. >The firewall sees that attempt, and momentarily opens port YY for that >address. If login/authentication fails, it's no worse than before, but >I don't have that noise in the logs either. > Old guy Each of us has slightly different situtations. I have a machine in my office that is on 24/7. It is, among other things, my e-mail server. I want access to the machine so that I can read my mail no matter where I am or which machine I'm using. Thus blocking on IP address won't help me. Nor will limiting the accepted addresses. Nevertheless, blocking repeated attempts to log in for a period of time long enough to make the attacker go try somebody else *would* be of use to me. On a slightly different topic, I agree that most security is obfuscation in one form or another. A "good" password is an obfuscation. So is turning off access to the server unless and until a message with a prescribed content is received first. That's obfuscation too. But it all helps. -- --- Paul J. Gans
From: JT on 13 Apr 2010 02:21 On 12/04/10 21:40, Chris Cox wrote: > On Mon, 2010-04-12 at 19:10 +0200, JT wrote: > ... > >> That's what I meant with: obfuscation != security ;-) >> >> > I think I can pretty much prove that most computer > security IS obfuscation. Obfuscation is not a bad thing, > it's used for passwords, SSL, SSH, etc. > > > > Also: obfuscation != encryption. Obfuscation means: "make it hard to understand" (Webster's). True security is: make it easy to understand but also make it hard to get through. -- Kind regards, JT
From: Chris Cox on 13 Apr 2010 12:51
On Tue, 2010-04-13 at 08:21 +0200, JT wrote: > On 12/04/10 21:40, Chris Cox wrote: ..... > Also: obfuscation != encryption. Obfuscation means: "make it hard to > understand" (Webster's). True security is: make it easy to understand > but also make it hard to get through. :-) You say tomato.... A password hash is merely a hard to understand mapping... Since collision is a possibility, arguably, it's easier to crack than a custom personal obfuscation..... Just saying... |