[clug] Stopping them at the door
Sam Couter
sam at couter.dropbear.id.au
Mon Feb 14 09:10:17 GMT 2005
Paul Wayper <paul.wayper at anu.edu.au> wrote:
> but what I'm worried about is coming in
> in the morning to find the logs saying someone's bashed away with a
> brute force password checker and found my password
Don't use passwords. Use a public key pair with SSH instead. Carry the
private key with you on a CD or USB key. Only use the key on trusted
machines.
> The question I have is: if someone's managed to get access to a non-root
> account, how certain is it that they can get root access?
It's fairly likely that non-root local access will quickly allow an
expert attacker root access. There are several reasons for this,
including the fact that we admins make certain assumptions about local
account security and that the kernel and other system software has many
many more interfaces (and therefore potential vulnerabilities) for a
local user compared to a remote user.
> Is SELinux the answer?
Maybe not *the* answer, but definately part of the solution.
Russel Coker (and others I assume) have had SELinux play boxes available
on the 'net with publically known root passwords. They don't get
compromosed very often, and every time they do, the SELinux code and/or
policy gets just a little bit better.
> On a related note, how do I lengthen the amount of time the system
> stores the security logs?
If you're using logrotate, you can configure such things in the files in
/etc/logrotate.d/
--
Sam "Eddie" Couter | mailto:sam at couter.dropbear.id.au
Debian Developer | mailto:eddie at debian.org
| jabber:sam at teknohaus.dyndns.org
OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20050214/fd8e6a6d/attachment.bin
More information about the linux
mailing list