Security basics
Lamar Owen
lowen at pari.edu
Thu Oct 4 12:31:43 UTC 2007
On Wednesday 03 October 2007, Karl Larsen wrote:
> This whole line of reasoning is false. I don't care if Hacker, the
> bad guy, gets on my computer with ssh. He then needs to come up with a
> valid login name and password. If he fails at this in some set time it
> all quits.
> Until you can convince me that my system is at risk from ssh when
> using a real password I am going to sleep well.
Go to www.cert.org and search for "SSH vulnerability" and understand that,
while those holes have been patched, there will be other holes found.
Buffer overflows impact your security. SELinux does mitigate their impact to
a degree, as long as it's enabled and set to enforcing; but in the specific
case of ssh that won't help a great deal.
To summarize the holes: over the years, remote execution vulnerabilities due
to program bugs have been found and patched; the fact that there have been
bug of this nature found implies strongly that there are unpatched bugs in
the code now that have not been discovered (or if they've been discovered,
the knowledge hasn't been disseminated); holes must be assumed.
Security is never absolute; and is best done in layers, and as a continuous
process. I'm not going to say that I know everything there is to know about
it; no one does. Nor am I going to say that my systems are invulnerable; no
ones are (unless they're turned off and unplugged). But I have learned a few
things in my several years experience in the field; layered security is one
of them.
The degree of usability of a system and the degree of security of a system are
inversely proportional.
--
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the fedora-list
mailing list