[svlug] Configuring Server - SSH Trouble + Security Considerations

[Rick Moen]

Quoting Lord Sauron (lordsauronthegreat at gmail.com):

> Yes, I do try and keep with what distros supply wherever possible,
> since I do appreciate the auto-updating feature.

Whenever you _do_ go outside the packaging system (e.g., for unpackaged
Web apps), do try to remember that downside:  None of them will ever get
updates, and you'll probably never even see security advisories, withou
your being on top of the matter personally, pre-1994-style.  

[disadvantages of pserver:]
 
> Unless you're like me and running it locally.  It's hard to catch
> packets off of somebody else's loopback device.

Um, I might be missing something, but, if you're using a local
repository, why use a network mechanism at all, even a loopback one?  
Just strip off that extra syntax and do "cvs -d /.../cvsroot checkout module".

Anyway, I feel a little dirty, even reminding myself of how to use CVS
in 2006.  CVS is so last millennium.  See:  "SCM" on
http://linuxmafia.com/kb/Devtools/

And remember:  Git is the new RCS:
https://monkey.linuxworld.com/SecretWeapons.html

> >sftp is _not ftp_.  That's a frequent bad assumption people make, based
> >just on the similarity of name.  But they implement different protocols
> >entirely.
> 
> Do they do somewhat the same thing?

Yes, in more or less the same way telnet and ssh do.

(Not a complaint, but you really could have looked that up, you know.)


[I mentioned "snort".]

> I've tried my hand at airsnort.  Didn't get anywhere because my
> wireless drivers don't support promiscus mode.

I'm pretty sure there's no connection whatsoever between snort and
airsnort, except perhaps of inspiration.  Again, you really could and
should have consulted our good friend Mr. Search Engine, and determined
that for yourself.

> >Anyway, my comment about "beware the gadget freak side" was just a
> >gentle reminder that throwing more software at a possible security
> >problem (something Linux geeks do all too often) is usually the wrong
> >approach.
> 
> I was referring to throwing more software on my laptop to test the
> security of my server.

Which gets me back to my point, which I will restate just one more time,
and then quit:   Please consider, instead of collecting and playing with
a whole zoo of similar tools, picking one or two ones that seem
reasonable candidates for being best of breed, and learn to use those
_well_.  IMVAO, you'll probably get better results.

> I think they are totally different.  Servers have to worry about
> direct attacks.  Workstations have to worry about smaller, more
> subversive, usually user-started (clicking on the attachment-type
> stuff) attacks.  

First of all, workstations often are serving up a whole bunch of network
services on their network interfaces (and not just localhost) -- whether
their owners so intend or not.  Spend a little time with nmap, and
you'll see.

Second, _my_ workstations tend to not be cleanly distinguishable from
servers, by design.  Which machine is a client to the other for which
protocol is a matter of convenience and system design -- and a machine A
that functions in a client role to machine B for one network protocol,
or on one occasion, may be server to machine B for other protocols or on
other occasions.  That is, I long ago rejected the cleran dichotomy
implied by the workstation/server distinction:  MIPS is MIPS.  I run
processes whever it suits me to put them, that being one of the
prorogatives (and pitfalls) of ownership.

Third, even "workstation" boxes that happen to run no network services
face network-based attacks from users' outbound network connections, 
e.g., from public data files:  Javascript, GIF files, PDFs, PostScript, 
even MP3s.  Did you know that someone once released a worm capable of
attacking Linux users' copies of mpg123 using a Trojaned MP3 file?
(The vulnerability existed only in an mpg123 prerelease, but it
illustrates the concept.)

Fourth, any exploitable vulnerabilities in kernels and network stacks
affect workstations equally as much as servers.  The first time I spent
significant time on the OpenProjects #debian IRC channel and left my
laptop on-channel for a day or so, someone monitoring the /who list
thought it was cute to launch a TCP stack attack against me and panic my
laptop's kernel, which was overdue for an upgrade.  (I really didn't
mind:  It was a harmless if slightly rude security reminder.)

> When was that last time you got a DDoS attack on your laptop?

If my laptop's on the outer portion of my LAN, it's subject to many of
the same DDoS attack modes my server is.  (DDoS works through resource
exhaustion, and one of the really obvious resources to deplete,
especially for someone on a relatively feeble aDSL line, is bandwidth
itself.  Or you go for file handles, half-open connections via SYN
flooding, etc.)

If my laptop is on the inner portion of my LAN, behind NAT, then it's
slightly obscured from direct attack, but at the mercy of attacks on the
NAT host.

> To me a server is something that has a power cable and a networking
> cable.  A desktop/workstation is something that has a keyboard and
> mouse and a attached humanoid life form and is shut down at night.
> Pretty crude distinction, but it holds its water reasonably well.

If I put a 24x7-capable external hard drive on my Ubuntu G3 iBook and
made it take over all the functions of my antique VA Research model 500
server, what would the laptop be then?

(One thing for damned sure:  It would have more disk space and RAM.  ;-> )