From owner-freebsd-stable Wed May 30 12:31:29 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 8409037B423 for ; Wed, 30 May 2001 12:31:24 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 40986 invoked by uid 1000); 30 May 2001 19:31:45 -0000 Date: Wed, 30 May 2001 21:31:45 +0200 From: "Karsten W. Rohrbach" To: Sven Huster Cc: stable@FreeBSD.ORG Subject: Re: adding "noschg" to ssh and friends Message-ID: <20010530213145.B40244@mail.webmonster.de> References: <200105292315.f4TNFOu31573@earth.backplane.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="l76fUT7nc3MelDdI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from sven.huster@mailsurf.com on Wed, May 30, 2001 at 01:30:34AM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --l76fUT7nc3MelDdI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Sven Huster(sven.huster@mailsurf.com)@2001.05.30 01:30:34 +0000: > the arguments here are a little bit funny. > give the hacker the possibility otherwise he would do much > more evil things. uhhh... >=20 > i thought every single step to make a machine=20 > secure should be taken. the honeypot/-trap method is a widely known one, so you set up a box that looks like in-production for the people to crack and have some serious countermeasures in place on that box. so you can manage the risk of you server farm a little better. bottom line: - you do not want someone to steal data - you do not want to disclose sensible secrets such as passwords - there are a lot of rootkits out there - none of them work for 99% of the script kiddies if you configure 2 or three things the rootkit "installer" script doesn't like - if an attacker gets frustrated he tries to sabotage you whilst you are not able to directly intervene or prevent it - NIS is NOT a secure solution for storing secrets off the machine, IMVHO. onetime methods such as s/key worked out to be better, at least for me and my users ;-) NIS is not immune to sniffing and requires the rpc portmapper. from the yp(4) man page: "Client NIS systems receive all NIS data in ASCII form." Ouch. - there's a whole bunch of information in security(7), written by matt - there are a lot of papers out there concerning unix security in general - do not run network daemons you don't need - if possible run network daemons as non-root - kill inetd, use tcpserver (ucspi-tcp) - be restrictive in setting subsystem permissions - suid executables are a bad thing[tm] - group permissions often are the key to managing impact from network based attacks - schg does not prevent your system from being r00ted - check your binaries, mtree can do that for you - check your binaries, tripwire can do that for you - check your binaries, ... ;-) have fun /k --=20 > A Christian is a man who feels repentance on Sunday for what he did on > Saturday and is going to do on Monday. --Thomas Ybarra KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --l76fUT7nc3MelDdI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FUqhM0BPTilkv0YRAov6AKCLXA1LDwMBqy8609P6PC8tJfDdZgCdGQgH YT+7RDx8HRtCGTjIoDBYoTk= =IWqF -----END PGP SIGNATURE----- --l76fUT7nc3MelDdI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message