Re: Security basics

On 04/10/2007, Tod Merley <todbot88@xxxxxxxxx> wrote:
On 10/4/07, Alan M. Evans <fedoralist@xxxxxxxxxxxxx> wrote:
On Thu, 2007-10-04 at 00:26 +0100, Jonathan Underwood wrote:
On 03/10/2007, Alan M. Evans <fedoralist@xxxxxxxxxxxxx> wrote:
Keep your SSH and your "real password" and sleep like a baby. As for me,
I won't trust SSH alone. I employ other methods, including rsa keys,
special iptables rules, and SELinux, to enhance the security of my
system. (For the record, I run SSH on the standard port, despite the
fact that I claim it would enhance security further.)


I'd be interested to know what SElinux policy changes you've
implemented to add further security to sshd?

None, actually. Sorry if I was misunderstood. I merely mentioned SELinux
because I'm aware that Karl doesn't think it's useful and I do because
of the "layered security" model that I was discussing. Karl was saying,
in effect, that SSH and a "good" password were enough, and that's why I
was mentioning layered security.

In retrospect, it probably shouldn't have been lumped in with the rsa
keys and iptables rules.

(Also, Karl may not have anything against SELinux. I just made that
statement without researching the list history because in my mind I
lumped him in with the cabal of anti-SELinux guys. That impression may
be incorrect.)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


Hi Alan!

With SSH and similar popular connection tools I would like to see a
utility which sets up a client on the machine seeking the connection
which talks to a server on the machine being connected to. The
utility would use a customized "query / response" protocol on a
non-standard port to turn on the connection tool (e.g. SSH) and
establish that the connection to be made on a random non-standard port
the identity of which is communicated by a custom encrypted packet.

The original query to the server would need to be proper to illicit a
response. So, the keys to the box, and the location of the locks are
only known to the user.

Anyone already doing this?


I think you're describing port knocking - read

http://en.wikipedia.org/wiki/Port_knocking

and look at the links at the end.

J.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Security basics
    ... I won't trust SSH alone. ... special iptables rules, and SELinux, to enhance the security of my ... I'd be interested to know what SElinux policy changes you've ... utility which sets up a client on the machine seeking the connection ...
    (Fedora)
  • Re: Security basics
    ... I won't trust SSH alone. ... special iptables rules, and SELinux, to enhance the security of my ... I'd be interested to know what SElinux policy changes you've ... utility which sets up a client on the machine seeking the connection ...
    (Fedora)
  • Re: Security basics
    ... I won't trust SSH alone. ... special iptables rules, and SELinux, to enhance the security of my ... I'd be interested to know what SElinux policy changes you've ...
    (Fedora)
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    ... Would there be a reason to implement floating labels in SELinux? ... In this case fireflier would need to do only this: ... To have all tasks assigned a security structure, ... * A task has accessed this file, add the task's SID to the group SID of ...
    (Linux-Kernel)
  • Re: [Full-disclosure] Why Vulnerability Databases cant do everything
    ... best to relegate programming to a ... is a big difference between these two views of information security. ... but not nearly as important as designing secure systems. ... My favorite example to illustrate this point - ssh. ...
    (Bugtraq)
Loading