Re: OT: security device

Michael Heiming <michael+USENET@xxxxxxxxxxxxxx> writes:

In comp.security.ssh Unruh <unruh-spam@xxxxxxxxxxxxxx>:
Randy Yates <yates@xxxxxxxx> writes:

Folks,

Forgive the OT nature, but I'm dying to bounce this off of some
reputable and knowledgable people in security, and I think this
group is rich in such members.

The problem of being owned, hacked, kiddied, yada-yada-yada is
so common nowadays I was thinking of ways to at least detect
such situations and came up with this.

[..]

A far far better idea is to run an OS that is not so subject to "being
owned, hacked, kiddied, yada-yada-yada". You are trying to provide
protection at the worst possible point, instead of the best.

Indeed, this was my first thought about the "problem" I can't
really see. Since this was posted to css, I am presuming somehow
owned through ssh?

Not that I can detect. It's just that I'm not ever sure.

- Disable direct root logins, use 'su/sudo'.

Done.

- Deny ssh logins other then from trusted systems/networks

That defeats the purpose of ssh and my need. I want to be able
to login from potentially unkown systems/networks.

- Allow keylogin only over public networks

Again, I can't always predict where I'll be loging in from.

Another idea would be to run sshd on another port this obfuscates
malicious scripts at least.

Done.

Or you could send your system a mail
and let it configure through procmail to open sshd to a certain
IP you just send?

I had thoughts along those lines, but hadn't gone quite that far.

No, I don't think I'm owned. I just hate the idea of it ever happening,
and like I said in an adjacent post, I don't see that you can ever
guarantee it won't without using a physically and logically separate
system.
--
% Randy Yates % "Maybe one day I'll feel her cold embrace,
%% Fuquay-Varina, NC % and kiss her interface,
%%% 919-577-9882 % til then, I'll leave her alone."
%%%% <yates@xxxxxxxx> % 'Yours Truly, 2095', *Time*, ELO
http://home.earthlink.net/~yatescr
.

Relevant Pages
Quantcast