[svlug] Configuring Server - SSH Trouble + Security Considerations

Rick Moen rick at linuxmafia.com
Mon Oct 23 15:47:57 PDT 2006


Quoting Lord Sauron (lordsauronthegreat at gmail.com):

> It I'm careful and build my PHP correctly I don't think anything
> should get through.

Oh, you're definitely in a good starting point, if you're writing your
_own_ PHP.  The usual problem is in deciding to deploy, say, Drupal or
phpBB -- especially if you do so from tarballs rather than from distro
packages of those codebases, because then you don't receive automatic
security patches.

> What's the issue with pserver?

Eh, I've been carefully avoiding running it for so many years that I've
forgotten details, but it sends plaintext login passwords across the
wire, for one thing -- just like non-ssl, non-anonymous ftp or regular
POP3 or telnet.  And it has had a really regrettable history in other
ways, too.  Add to that the fact that it's just a lame crutch for people
unwilling to install an ssh client (http://linuxmafia.com/ssh/), and I
personally wouldn't go near it, ever.

> I did decide that if I was going to use ftp, it would be sftp or
> something more secure.

sftp is _not ftp_.  That's a frequent bad assumption people make, based
just on the similarity of name.  But they implement different protocols
entirely.

> >Off the top of my head, gee, dunno.  Nessus?  Tiger?  Maybe you should
> >start out with just one or two basic tools and learn to use those
> >_well_.  (Beware the Gadget Freak Side, Luke.)
> 
> It's a desktop machine, not a server - it's not going anywhere.

I'm not sure I see what you're getting at, and might be missing your
point.  You asked what "network security programs" besides nmap you
should look over.  Aside from Prelude-IDS (a good example of file-based
IDS that I mentioned elsewhere), I cited Nessus and Tiger as things 
worthy of your attention.  (One might add "snort".)   

Anyway, my comment about "beware the gadget freak side" was just a
gentle reminder that throwing more software at a possible security
problem (something Linux geeks do all too often) is usually the wrong
approach.


> Well, I'm learning.  Desktop security measures and server security
> measures share no common ground....

Er, don't they?  ;->  You happen to have run headlong into someone who
has staunchly disagreed with that assumption for decades.  (But then, I
see the distinction between desktops and servers as somewhat artificial
and illusory, to begin with -- yet another antique ideological argument,
I'm afraid.)

-- 
Cheers,                 "Heedless of grammar, they all cried 'It's him!'"
Rick Moen                       -- R.H. Barham, _Misadventure at Margate_
rick at linuxmafia.com




More information about the svlug mailing list