| gabriel rosenkoetter on Thu, 21 Nov 2002 11:10:05 -0500 |
|
On Thu, Nov 21, 2002 at 10:17:29AM -0500, epike@isinet.com wrote: > system backup --- /home, /etc, /www and stuff. We can't be > carrying tapes to the site where the server is located everyday:-) Your aware that large data transfers via SSH *really* hurt the processor, right? (scp a large file--or dd a large file across a pipe through ssh-- then look at top on both sides; that's the encryption chugging.) > I understand the risk, its going to be, that anybody who gets > the private keys will be able to mirror all the files > on the server. No, it's worse than that. They will be able to do anything that root could do on the server by executing rsync --daemon. That includes read /etc/shadow, it includes writing over libc with a trojaned version, so forth. If anyone gets those keys, you've lost, reformat the box. > Actually the "backup clients" will have almost > no services active (probably just local telnet for maintenance, > and sendmail for mailing out status). Why not sshd instead of telnet? And you don't need to have sendmail listening in order to send outgoing SMTP email, only to receive SMTP email. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgp9lDNbigc1m.pgp
|
|