[svlug] Configuring Server - SSH Trouble + Security Considerations

Lord Sauron lordsauronthegreat at gmail.com
Mon Oct 23 16:19:54 PDT 2006

On 10/23/06, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Lord Sauron (lordsauronthegreat at gmail.com):
> > It I'm careful and build my PHP correctly I don't think anything
> > should get through.
> Oh, you're definitely in a good starting point, if you're writing your
> _own_ PHP.  The usual problem is in deciding to deploy, say, Drupal or
> phpBB -- especially if you do so from tarballs rather than from distro
> packages of those codebases, because then you don't receive automatic
> security patches.

Yes, I do try and keep with what distros supply wherever possible,
since I do appreciate the auto-updating feature.

> > What's the issue with pserver?
> Eh, I've been carefully avoiding running it for so many years that I've
> forgotten details, but it sends plaintext login passwords across the
> wire, for one thing -- just like non-ssl, non-anonymous ftp or regular

I've been using pserver for CVS locally on my laptop, but wow...
That's a pretty big flaw.

> POP3 or telnet.  And it has had a really regrettable history in other
> ways, too.  Add to that the fact that it's just a lame crutch for people
> unwilling to install an ssh client (http://linuxmafia.com/ssh/), and I
> personally wouldn't go near it, ever.

Unless you're like me and running it locally.  It's hard to catch
packets off of somebody else's loopback device.

> > I did decide that if I was going to use ftp, it would be sftp or
> > something more secure.
> sftp is _not ftp_.  That's a frequent bad assumption people make, based
> just on the similarity of name.  But they implement different protocols
> entirely.

Do they do somewhat the same thing?

> > >Off the top of my head, gee, dunno.  Nessus?  Tiger?  Maybe you should
> > >start out with just one or two basic tools and learn to use those
> > >_well_.  (Beware the Gadget Freak Side, Luke.)
> >
> > It's a desktop machine, not a server - it's not going anywhere.
> I'm not sure I see what you're getting at, and might be missing your
> point.  You asked what "network security programs" besides nmap you
> should look over.  Aside from Prelude-IDS (a good example of file-based
> IDS that I mentioned elsewhere), I cited Nessus and Tiger as things
> worthy of your attention.  (One might add "snort".)

I've tried my hand at airsnort.  Didn't get anywhere because my
wireless drivers don't support promiscus mode.

> Anyway, my comment about "beware the gadget freak side" was just a
> gentle reminder that throwing more software at a possible security
> problem (something Linux geeks do all too often) is usually the wrong
> approach.

I was referring to throwing more software on my laptop to test the
security of my server.

> > Well, I'm learning.  Desktop security measures and server security
> > measures share no common ground....
> Er, don't they?  ;->  You happen to have run headlong into someone who
> has staunchly disagreed with that assumption for decades.  (But then, I

I think they are totally different.  Servers have to worry about
direct attacks.  Workstations have to worry about smaller, more
subversive, usually user-started (clicking on the attachment-type
stuff) attacks.  When was that last time you got a DDoS attack on your
laptop?  Unless I'm inordinately more naive than I think I am, the
types of attacks are different.

> see the distinction between desktops and servers as somewhat artificial
> and illusory, to begin with -- yet another antique ideological argument,
> I'm afraid.)

To me a server is something that has a power cable and a networking
cable.  A desktop/workstation is something that has a keyboard and
mouse and a attached humanoid life form and is shut down at night.
Pretty crude distinction, but it holds its water reasonably well.

========== GCv3.12 ==========
GCS d-(++) s+: a? C++ UL+>++++ P+
L++ E--- W+(+++) N++ o? K? w--- O? M+
V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+
                DI+++ D+ G e* h- !r !y
========= END GCv3.12 ========

More information about the svlug mailing list