| christophe barbé on Mon, 1 Jul 2002 14:30:43 -0400 |
|
On Mon, Jul 01, 2002 at 01:37:06PM -0400, John Lavin wrote: > > No, it really is less safe, as it really does pass a shared secret > > over the wire, which is a terrible idea under any circumstances. We > > have better ways of handling this situation now, so use them. > Great - I love starting Monday off feeling less secure about my use of > root. ;-) > > > I don't know about you, but my workstation is *clearly* more secure > > than any of the servers I administrate. > Yours probally is, but alot of people don't take security on their > workstations too seriously, or put off hardening it since its "only" > connected periodically. (You also have the "I have nothing important > enough to steal" excuse) I shut down every service I don't use and drop > as much incoming traffic as possible, but I am still guilty of putting off > hardening my system. I don't monitor as well as I should either. I don't > think I'm the only one ... so in sometimes, yeah, I could see the > server being more secure in some cases, sure. My first line of defense on my workstation is a iptable set of rules which basically reject everything coming from outside except for established connexions. This is very easy to set with the IP connexion tracking module (ip_conntrack). Of course I can do that because my workstation is not my server. Another line of defense is to keep current with security patch. I consider my data extremely valuable, at least to myself, so I can't count on the "I have nothing important enough to steal" excuse. If someone want to use your workstation as a base (with others) for a distributed DoS, It will certainly kill your workstation at the end to erase all traces from him, leaving you with no proof of your innocence and no more unimportant data. We are never paranoiac enough, especially these days with DSL connexions. Christophe > > > ______________________________________________________________________ > Philadelphia Linux Users Group - http://www.phillylinux.org > Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce > General Discussion - http://lists.phillylinux.org/mail/listinfo/plug > -- Christophe Barbé <christophe.barbe@ufies.org> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Cats are absolute individuals, with their own ideas about everything, including the people they own. --John Dingman Attachment:
pgp0886y6z8FI.pgp
|
|