Security basics

[Karl Larsen]

Lamar Owen wrote:
> On Wednesday 03 October 2007, Karl Larsen wrote:
>   
>>     This whole line of reasoning is false. I don't care if Hacker, the
>> bad guy, gets on my computer with ssh. He then needs to come up with a
>> valid login name and password. If he fails at this in some set time it
>> all quits.
>>     
>
>   
>>     Until you can convince me that my system is at risk from ssh when
>> using a real password I am going to sleep well.
>>     
>
> Go to www.cert.org and search for "SSH vulnerability" and understand that, 
> while those holes have been patched, there will be other holes found.
>
> Buffer overflows impact your security.  SELinux does mitigate their impact to 
> a degree, as long as it's enabled and set to enforcing; but in the specific 
> case of ssh that won't help a great deal.
>
> To summarize the holes: over the years, remote execution vulnerabilities due 
> to program bugs have been found and patched; the fact that there have been 
> bug of this nature found implies strongly that there are unpatched bugs in 
> the code now that have not been discovered (or if they've been discovered, 
> the knowledge hasn't been disseminated); holes must be assumed.
>
> Security is never absolute; and is best done in layers, and as a continuous 
> process.  I'm not going to say that I know everything there is to know about 
> it; no one does.  Nor am I going to say that my systems are invulnerable; no 
> ones are (unless they're turned off and unplugged).  But I have learned a few 
> things in my several years experience in the field; layered security is one 
> of them.
>
> The degree of usability of a system and the degree of security of a system are 
> inversely proportional.
>   
    Right this moment someone is trying to hack into THIS system. The 
Internet traffic shows me this. I am growing tired of the ssh thing 
since I'm a desktop user. This never needs ssh. I think I will turn it off.



-- 

	Karl F. Larsen, AKA K5DI
	Linux User
	#450462   http://counter.li.org.