[CentOS] Security advice, please
Bill Campbell
centos at celestial.com
Wed Dec 24 19:54:09 UTC 2008
On Wed, Dec 24, 2008, jkinz at kinz.org wrote:
>On Wed, Dec 24, 2008 at 09:43:19AM -0800, Bill Campbell wrote:
>> On Wed, Dec 24, 2008, jkinz at kinz.org wrote:
>> >Top posting to ask a question regarding the article below:
>> > Summary: Enable ssh to allow login from any random point on
>> > the internet
>>
>> I always have my laptop with me,
>
>An excellent strategy Bill. I use it myself, but I explicitly excluded
>it in my question. Why? because there are lots of scenarios in the world
>where people won't be able to use their laptop or netbook and will have
>to fall back on using someone else's equipment.
>
>Two examples :
>You are visiting the Otis Public Library in Norwich CT. They have Linux
>based public workstations (w/Internet access).
>(http://www.otislibrarynorwich.org/index.htm)
>
>Or you are a consultant visiting a corporate client who doesn't allow
>"outside equipment" to be used on their network, so they maintain
>specific machines for "guests" to use. (Hint, "DOD" )
I don't do business with government agencies, it just encourages
them to continue their legal plunder (and often it takes forever
to get paid -- unless one offers an early payment discount that
they are required by law to use).
>(I have run into both of these. :-) )
>
>example three - A TSA attendant "accidentally" drops your
>laptop.. in front of a forklift... (Merry Christmas!)
That might well get me to cancel my trip.
>All your ideas are good ones to which I would add using port knocking
>(not perfect at all but adds an additional small barrier)
I am aware of port knocking, but doing that certainly requires
stuff on the client computer that wouldn't be available at the
average Internet cafe or kiosk device.
>The best technique I have used is to put up an https web page
>that requires the person desiring entry to be presented with a
>challenge<->response dialog that is generated from a specific one-time
>use pad of CR key pairs. That way, each session requires a unique
>response to enable it. This is awkward but help keep the unwanted
>visitors out. This would be a variation on your SSL webmin
>suggestion.
I saw something recently on one of the many mailing lists about a
USB device that generates one-time-passwords at very reasonable
cost. These can be plugged into anything with a USB port that
would recognize a USB keyboard.
>Unfortunately, the worst case scenario ( a compromised machine
>that does key logging) which you pointed out, will always be a
>potential problem..
>
>So when on the road, perhaps we should restrict doing
>online banking to just the cell phone.. :-) hmm.......
My bank is set up to make one jump through several hoops when
logging in from an IP that it has not seen a login to the
account, and may even distinguish browsers as I think I have had
to do something special when using Safari on my desktop instead
of my normal Firefox. My bank is a small regional bank where the
people at the branch know me, and even recognize my voice on the
phone so it's pretty easy for me to do things by phone. I *HATE*
dealing with megabanks where customer service is an oxymoron.
...
Bill
--
INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186
It is better to die on your feet than to live on your knees!
-- Emiliano Zapata.
More information about the CentOS
mailing list