Miscellaneous > The Lounge
Spying
voidmain:
You got it buddy! Too bad more people don't "get it". Although, long pass phrases do you no good if there is a buffer overrun vulnerability in sshd. And long passwords do you no good if they float over the netword unencrypted. Restricting based on IP can further help prevent a hack even if they did get your long password/phrase.
[ February 19, 2002: Message edited by: VoidMain ]
iancom:
BadKarma... you can find details on finding out whether you're vulnerable from here:
http://www.whoi.edu/CIS/systems_support/security/upgrading-ssh.html
For security, I tend to go with the following philosophy:
1. At the kernel-level (ipchains, iptables, ipfilter etc) deny all incoming packets to the machine that are not necessary (including filtering based on source IP)
2. Do not run any daemons on a machine that you do not have to
3. Daemons that do not absolutely have to run as root should be run as an unpriveliged user
4. Daemons should, if possible, also be set up to do their own checking (independent of your firewall setup) on source-IP etc. Most common ones are capable of that.
5. Don't use stock distribution daemons. Compile your own from the latest source, subscribe to their "announce" mailing lists, and subscribe to CERT announcements to know when to upgrade.
Once you get used to doing it that way, it's surprisingly easy to keep it up!
voidmain:
Actually rather than going to IanC's link why don't you go straight to the CERT site. That link has no date and you don't know if it is outdated. For instance I found this on CERT:
http://www.kb.cert.org/vuls/id/JARL-557PVR
Which shows for SuSe 7.3 you should be 2.9.9p2-74 and a link to download it... Joining the CERT mailing list you will be kept up to date on vulnerabilities as they are made known, along with fix information.
iancom:
Good point...
I put that one in mostly because it's concise and easy to follow... I know that it's up-to-date enough to deal with the vulnerability that I was referring to with my friend's PC, which is what BadKarma was asking about.
Of course though, there is no substitute for getting your up-to-the-minute security information from a truly reliable source, like CERT.
voidmain:
And I'm not sure what SuSe uses but RedHat has an "Errata" section on their web site with all the latest updates, I'm sure SuSe has something similar. Checking that often and upgrading the key parts you are interested in is usually a fairly easy thing to do and keeps you pretty up to date on vulnerabilities. CERT is good for explaining the effects of a vulnerability and why you should upgrade...
Navigation
[0] Message Index
[*] Previous page
Go to full version