[clug] secure remote access method [SEC=PERSONAL]

Roppola, Antti - BRS Antti.Roppola at daff.gov.au
Fri Jun 19 01:45:34 GMT 2009 

Hi all,

If you don't control the client, you really shouldn't be shelling in
from that account anyhow.

I'm not sure just how much of a problem this actually is. There's
already been a bunch of good advice, most of which draws on well
established practise. Perhaps there needs to be more awareness of the
need to "defend in depth" and not rely on one layer.

I used to have an ssh listener at home. It was switched off most of the
time, and the rest of the time it was behind an IPTables rule that
restricted access to networks I was likely to be accessing it from. It
didn't allow root logins at all. Ideally it would point to a separate
unprivileged account that was running restricted shell. If I was going
to continue to need access, I was going to set up a separate means of
activiating it with appropriate network settings (SMS? Dialin?).

Do you keep a *separate* log server and review unusual auth.log events?
Are bad attemnpts greylisted?

When did you last update and verify your TripWire signatures?

Is your perimeter box constrained by SELinux or AppArmor?

Yes, it is a lot of work. You need to decide how much is enough for you
and your data.

When I travel, I carry a live CD rather than trust kiosks and I do not
access any accounts with sudo privileges.

You should always assume that any permimeter breach is likely to be
escalated to at least a system wide compromise.

Cheers,

Antti 

-----Original Message-----
From: linux-bounces+antti.roppola=brs.gov.au at lists.samba.org
[mailto:linux-bounces+antti.roppola=brs.gov.au at lists.samba.org] On
Behalf Of jm
Sent: Friday, 19 June 2009 11:23 AM
To: CLUG List
Subject: Re: [clug] secure remote access method

Using or not using passwords with ssh is MOOT if you can't use ssh to
get remote access in the first place.

Further, even if you are *lucky* enough to be able to use ssh you may
not be in a position to use public key authentication as you don't
control the client.

Jeff.


------
IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain sensitive and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. 

Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited. The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments. If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly. Only e-mail correspondence which includes this footer, has been authorised by DAFF 

------

More information about the linux mailing list