[clug] Stopping them at the door

Sam Couter sam at couter.dropbear.id.au
Mon Feb 14 09:10:17 GMT 2005

Paul Wayper <paul.wayper at anu.edu.au> wrote:
> but what I'm worried about is coming in 
> in the morning to find the logs saying someone's bashed away with a 
> brute force password checker and found my password

Don't use passwords. Use a public key pair with SSH instead. Carry the
private key with you on a CD or USB key. Only use the key on trusted

> The question I have is: if someone's managed to get access to a non-root 
> account, how certain is it that they can get root access?

It's fairly likely that non-root local access will quickly allow an
expert attacker root access. There are several reasons for this,
including the fact that we admins make certain assumptions about local
account security and that the kernel and other system software has many
many more interfaces (and therefore potential vulnerabilities) for a
local user compared to a remote user.

> Is SELinux the answer?

Maybe not *the* answer, but definately part of the solution.

Russel Coker (and others I assume) have had SELinux play boxes available
on the 'net with publically known root passwords. They don't get
compromosed very often, and every time they do, the SELinux code and/or
policy gets just a little bit better.

> On a related note, how do I lengthen the amount of time the system 
> stores the security logs?

If you're using logrotate, you can configure such things in the files in
Sam "Eddie" Couter  |  mailto:sam at couter.dropbear.id.au
Debian Developer    |  mailto:eddie at debian.org
                    |  jabber:sam at teknohaus.dyndns.org
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20050214/fd8e6a6d/attachment.bin

More information about the linux mailing list