[CentOS] Security advice, please

Wed Dec 24 19:20:12 UTC 2008
jkinz at kinz.org <jkinz at kinz.org>

On Wed, Dec 24, 2008 at 09:43:19AM -0800, Bill Campbell wrote:
> On Wed, Dec 24, 2008, jkinz at kinz.org wrote:
> >Top posting to ask a question regarding the article below:
> > Summary:  Enable ssh to allow login from any random point on
> > the internet
> 
> I always have my laptop with me,

An excellent strategy Bill.  I use it myself, but I explicitly excluded
it in my question. Why? because there are lots of scenarios in the world
where people won't be able to use their laptop or netbook and will have
to fall back on using someone else's equipment.

Two examples :  
You are visiting the Otis Public Library in Norwich CT.  They have Linux
based public workstations (w/Internet access). 
(http://www.otislibrarynorwich.org/index.htm)

Or you are a consultant visiting a corporate client who doesn't allow
"outside equipment" to be used on their network, so they maintain
specific machines for "guests" to use. (Hint, "DOD" )

(I have run into both of these. :-) )

example three - A TSA attendant "accidentally" drops your
laptop.. in front of a forklift... (Merry Christmas!)

All your ideas are good ones to which I would add using port knocking
(not perfect at all but adds an additional small barrier) 

The best technique I have used is to put up an https web page
that requires the person desiring entry to be presented with a
challenge<->response dialog that is generated from a specific one-time
use pad of CR key pairs. That way, each session requires a unique
response to enable it.  This is awkward but help keep the unwanted
visitors out. This would be a variation on your SSL webmin
suggestion.

Unfortunately, the worst case scenario ( a compromised machine
that does key logging) which you pointed out, will always be a 
potential problem.. 

So when on the road, perhaps we should restrict doing
online banking to just the cell phone.. :-)  hmm....... 


> accept only authorized_keys, (b) allow access from any IP, and (c) use
> fail2ban to limit the number of log entries from failed attempts to access
> the systems.  All logins to our customer sites are then initiated from
> inside our network once I have established the initial connection from the
> remote location so those connections can be much more restrictive if
> necessary.
> 
> One possibility would be to have a machine configured to allow password
> access from the world which one could log into, then execute ssh-agent, and
> ssh-add (with a strong pass phrase) on that machine to get access to other
> systems on your network.
> 
> If there is some reason that an ssh cannot be established, usually it's
> possible to connect with OpenVPN, which works nicely behind NAT firewalls
> and does not require kernel hacking on CentOS as things like PPTP do.
> 
> You make the job much more difficult when asking that you be able to get in
> from any old machine you might find in public space.  Other than the fact
> that the owners of these machines generally don't allow people to install
> software on them, I would be very reluctant to do anything on them that
> involved secure logins as who knows what key capture or other spyware is
> running on them.
> 
> One may be able to access you systems using webmin or its usermin module
> over an SSL connection, and webmin has a terminal interface allowing one to
> get a connection to systems.  If I remember correctly, this does require
> Java(tm) on the connecting machine, and that webmin be configured to permit
> use of the terminal module.
> 
> I much prefer restrict webmin and usermin access though as I have seen far
> too many systems cracked through it because it only has username, password
> authentication, and too many times, user's passwords are easily cracked.
> Once somebody is logged into usermin, for instance, they may have access to
> tools such as the chfn (change finger information) command which at one
> time on SuSE systems allowed them to change their uid to ``0'' and gain
> root access to the system.
> 
> In summary, I would be extremely reluctant to allow access from public
> machines where there is no assurance how much malware is running on top of
> the Microsoft virus, Windows.  It's very easy to revoke authorized_keys or
> OpenVPN access for a lost or stolen laptop.  Allowing password access by
> any means opens up a large can of worms.
> 
> ...
> Bill
> -- 
> INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
> URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
> Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
> Fax:            (206) 232-9186
> 
> If the government can take a man's money without his consent, there is no
> limit to the additional tyranny it may practise upon him; for, with his
> money, it can hire soldiers to stand over him, keep him in subjection,
> plunder him at discretion, and kill him if he resists.
> 	Lysander Spooner, 1852
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

--