[CentOS] Security advice, please

Bill Campbell centos at celestial.com
Wed Dec 24 19:54:09 UTC 2008


On Wed, Dec 24, 2008, jkinz at kinz.org wrote:
>On Wed, Dec 24, 2008 at 09:43:19AM -0800, Bill Campbell wrote:
>> On Wed, Dec 24, 2008, jkinz at kinz.org wrote:
>> >Top posting to ask a question regarding the article below:
>> > Summary:  Enable ssh to allow login from any random point on
>> > the internet
>> 
>> I always have my laptop with me,
>
>An excellent strategy Bill.  I use it myself, but I explicitly excluded
>it in my question. Why? because there are lots of scenarios in the world
>where people won't be able to use their laptop or netbook and will have
>to fall back on using someone else's equipment.
>
>Two examples :  
>You are visiting the Otis Public Library in Norwich CT.  They have Linux
>based public workstations (w/Internet access). 
>(http://www.otislibrarynorwich.org/index.htm)
>
>Or you are a consultant visiting a corporate client who doesn't allow
>"outside equipment" to be used on their network, so they maintain
>specific machines for "guests" to use. (Hint, "DOD" )

I don't do business with government agencies, it just encourages
them to continue their legal plunder (and often it takes forever
to get paid -- unless one offers an early payment discount that
they are required by law to use).

>(I have run into both of these. :-) )
>
>example three - A TSA attendant "accidentally" drops your
>laptop.. in front of a forklift... (Merry Christmas!)

That might well get me to cancel my trip.

>All your ideas are good ones to which I would add using port knocking
>(not perfect at all but adds an additional small barrier) 

I am aware of port knocking, but doing that certainly requires
stuff on the client computer that wouldn't be available at the
average Internet cafe or kiosk device.

>The best technique I have used is to put up an https web page
>that requires the person desiring entry to be presented with a
>challenge<->response dialog that is generated from a specific one-time
>use pad of CR key pairs. That way, each session requires a unique
>response to enable it.  This is awkward but help keep the unwanted
>visitors out. This would be a variation on your SSL webmin
>suggestion.

I saw something recently on one of the many mailing lists about a
USB device that generates one-time-passwords at very reasonable
cost.  These can be plugged into anything with a USB port that
would recognize a USB keyboard.

>Unfortunately, the worst case scenario ( a compromised machine
>that does key logging) which you pointed out, will always be a 
>potential problem.. 
>
>So when on the road, perhaps we should restrict doing
>online banking to just the cell phone.. :-)  hmm....... 

My bank is set up to make one jump through several hoops when
logging in from an IP that it has not seen a login to the
account, and may even distinguish browsers as I think I have had
to do something special when using Safari on my desktop instead
of my normal Firefox.  My bank is a small regional bank where the
people at the branch know me, and even recognize my voice on the
phone so it's pretty easy for me to do things by phone.  I *HATE*
dealing with megabanks where customer service is an oxymoron.

...
Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

It is better to die on your feet than to live on your knees!
    -- Emiliano Zapata.


More information about the CentOS mailing list