[svlug] Configuring Server - SSH Trouble + Security Considerations
lordsauronthegreat at gmail.com
Mon Oct 23 16:19:54 PDT 2006
On 10/23/06, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Lord Sauron (lordsauronthegreat at gmail.com):
> > It I'm careful and build my PHP correctly I don't think anything
> > should get through.
> Oh, you're definitely in a good starting point, if you're writing your
> _own_ PHP. The usual problem is in deciding to deploy, say, Drupal or
> phpBB -- especially if you do so from tarballs rather than from distro
> packages of those codebases, because then you don't receive automatic
> security patches.
Yes, I do try and keep with what distros supply wherever possible,
since I do appreciate the auto-updating feature.
> > What's the issue with pserver?
> Eh, I've been carefully avoiding running it for so many years that I've
> forgotten details, but it sends plaintext login passwords across the
> wire, for one thing -- just like non-ssl, non-anonymous ftp or regular
I've been using pserver for CVS locally on my laptop, but wow...
That's a pretty big flaw.
> POP3 or telnet. And it has had a really regrettable history in other
> ways, too. Add to that the fact that it's just a lame crutch for people
> unwilling to install an ssh client (http://linuxmafia.com/ssh/), and I
> personally wouldn't go near it, ever.
Unless you're like me and running it locally. It's hard to catch
packets off of somebody else's loopback device.
> > I did decide that if I was going to use ftp, it would be sftp or
> > something more secure.
> sftp is _not ftp_. That's a frequent bad assumption people make, based
> just on the similarity of name. But they implement different protocols
Do they do somewhat the same thing?
> > >Off the top of my head, gee, dunno. Nessus? Tiger? Maybe you should
> > >start out with just one or two basic tools and learn to use those
> > >_well_. (Beware the Gadget Freak Side, Luke.)
> > It's a desktop machine, not a server - it's not going anywhere.
> I'm not sure I see what you're getting at, and might be missing your
> point. You asked what "network security programs" besides nmap you
> should look over. Aside from Prelude-IDS (a good example of file-based
> IDS that I mentioned elsewhere), I cited Nessus and Tiger as things
> worthy of your attention. (One might add "snort".)
I've tried my hand at airsnort. Didn't get anywhere because my
wireless drivers don't support promiscus mode.
> Anyway, my comment about "beware the gadget freak side" was just a
> gentle reminder that throwing more software at a possible security
> problem (something Linux geeks do all too often) is usually the wrong
I was referring to throwing more software on my laptop to test the
security of my server.
> > Well, I'm learning. Desktop security measures and server security
> > measures share no common ground....
> Er, don't they? ;-> You happen to have run headlong into someone who
> has staunchly disagreed with that assumption for decades. (But then, I
I think they are totally different. Servers have to worry about
direct attacks. Workstations have to worry about smaller, more
subversive, usually user-started (clicking on the attachment-type
stuff) attacks. When was that last time you got a DDoS attack on your
laptop? Unless I'm inordinately more naive than I think I am, the
types of attacks are different.
> see the distinction between desktops and servers as somewhat artificial
> and illusory, to begin with -- yet another antique ideological argument,
> I'm afraid.)
To me a server is something that has a power cable and a networking
cable. A desktop/workstation is something that has a keyboard and
mouse and a attached humanoid life form and is shut down at night.
Pretty crude distinction, but it holds its water reasonably well.
========== GCv3.12 ==========
GCS d-(++) s+: a? C++ UL+>++++ P+
L++ E--- W+(+++) N++ o? K? w--- O? M+
V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+
DI+++ D+ G e* h- !r !y
========= END GCv3.12 ========
More information about the svlug