Date: Wed, 30 May 2001 21:31:45 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Sven Huster <sven.huster@mailsurf.com> Cc: stable@FreeBSD.ORG Subject: Re: adding "noschg" to ssh and friends Message-ID: <20010530213145.B40244@mail.webmonster.de> In-Reply-To: <NGEPJANEPIDHMDLBLKMDGEBBCNAA.sven.huster@mailsurf.com>; from sven.huster@mailsurf.com on Wed, May 30, 2001 at 01:30:34AM %2B0200 References: <200105292315.f4TNFOu31573@earth.backplane.com> <NGEPJANEPIDHMDLBLKMDGEBBCNAA.sven.huster@mailsurf.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--l76fUT7nc3MelDdI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Sven Huster(sven.huster@mailsurf.com)@2001.05.30 01:30:34 +0000: > the arguments here are a little bit funny. > give the hacker the possibility otherwise he would do much > more evil things. uhhh... >=20 > i thought every single step to make a machine=20 > secure should be taken. the honeypot/-trap method is a widely known one, so you set up a box that looks like in-production for the people to crack and have some serious countermeasures in place on that box. so you can manage the risk of you server farm a little better. bottom line: - you do not want someone to steal data - you do not want to disclose sensible secrets such as passwords - there are a lot of rootkits out there - none of them work for 99% of the script kiddies if you configure 2 or three things the rootkit "installer" script doesn't like - if an attacker gets frustrated he tries to sabotage you whilst you are not able to directly intervene or prevent it - NIS is NOT a secure solution for storing secrets off the machine, IMVHO. onetime methods such as s/key worked out to be better, at least for me and my users ;-) NIS is not immune to sniffing and requires the rpc portmapper. from the yp(4) man page: "Client NIS systems receive all NIS data in ASCII form." Ouch. - there's a whole bunch of information in security(7), written by matt - there are a lot of papers out there concerning unix security in general - do not run network daemons you don't need - if possible run network daemons as non-root - kill inetd, use tcpserver (ucspi-tcp) - be restrictive in setting subsystem permissions - suid executables are a bad thing[tm] - group permissions often are the key to managing impact from network based attacks - schg does not prevent your system from being r00ted - check your binaries, mtree can do that for you - check your binaries, tripwire can do that for you - check your binaries, ... ;-) have fun /k --=20 > A Christian is a man who feels repentance on Sunday for what he did on > Saturday and is going to do on Monday. --Thomas Ybarra KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --l76fUT7nc3MelDdI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FUqhM0BPTilkv0YRAov6AKCLXA1LDwMBqy8609P6PC8tJfDdZgCdGQgH YT+7RDx8HRtCGTjIoDBYoTk= =IWqF -----END PGP SIGNATURE----- --l76fUT7nc3MelDdI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010530213145.B40244>