[clug] secure remote access method [SEC=PERSONAL]

jm jeffm at ghostgun.com
Fri Jun 19 03:03:17 GMT 2009 


Roppola, Antti - BRS wrote:
> Hi all,
>
> If you don't control the client, you really shouldn't be shelling in
> from that account anyhow.

> IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain sensitive and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. 

I better alert your CTO/CIO/sys admins that you dept's computers are 
insecure and to stop using them for work. :-)

> I'm not sure just how much of a problem this actually is. There's
> already been a bunch of good advice, most of which draws on well
> established practise. Perhaps there needs to be more awareness of the
> need to "defend in depth" and not rely on one layer.
>
>   
Only one person in this thread has actually attempted to address the 
original problem description (Ben by suggesting httptunnel).
> I used to have an ssh listener at home. It was switched off most of the
> time, and the rest of the time it was behind an IPTables rule that
> restricted access to networks I was likely to be accessing it from. It
> didn't allow root logins at all. Ideally it would point to a separate
> unprivileged account that was running restricted shell. If I was going
> to continue to need access, I was going to set up a separate means of
> activiating it with appropriate network settings (SMS? Dialin?).
>
>   
sms based password authentication is a good idea as a method of OTP. 
Only down side I see is the cost with assocciated with sending the 
messages (but nothings perfect).

> Do you keep a *separate* log server and review unusual auth.log events?
> Are bad attemnpts greylisted?
>
> When did you last update and verify your TripWire signatures?
>
> Is your perimeter box constrained by SELinux or AppArmor?
>
> Yes, it is a lot of work. You need to decide how much is enough for you
> and your data.
>
> When I travel, I carry a live CD rather than trust kiosks and I do not
> access any accounts with sudo privileges.
>
> You should always assume that any permimeter breach is likely to be
> escalated to at least a system wide compromise.
>
> Cheers,
>
> Antti 
>
>
>

More information about the linux mailing list