[CentOS] duqu

Wed Dec 7 01:32:22 UTC 2011
Always Learning <centos at u61.u22.net>

On Tue, 2011-12-06 at 17:06 -0800, James A. Peltier wrote:

> | The first thing I did was to make a 20-odd character password for Root
> | with lowercase, uppercase and digits (using my former address in
> | Germany).
> 
> Great!  I'll do a little Google'ing and see if I can find out what that
>  might be.  While this is great advice, I have a long password too,
>  most users are completely incapable of remembering their 6-8 character
>  passwords without righting them down.

Don't judge everyone by your own standards. You will be wasting your
time. Do you really think I would put on here anything that might
compromise my servers' security ???? That address is 30+ years old and I
had several addresses in der BRD.

The point about using an address for a password is - it is easy to
remember even when substituting lowercase for uppercase and digits for
letters.  AND it is also LONGER than 6 characters.

> | The next thing I did was to change the default SSH port number AND
> | restrict access to 3 approved IP addresses only.
> 
> This is good.  I mean the restricting part at least.  Changing the port
>  is a joke.

Leaving it with the original port number is surely like waving a flag
saying 'Open for Business'. At least make some effort. 

> | Anyone who leaves SSH on a default port open to any IP address is
> | stupid.
> 
> This is completely and utterly retarded.  You have done *NOTHING* to
>  secure SSH by doing this.  You have instead made it only slightly, and
>  I mean ever so slightly, more secure.  A simple port scan of your
>  network would find it within seconds and start to utilize it.

No. Your interpretation of what I wrote is defective. I never wrote it
was the ONLY action, did I ????


> | Anyone not wanting to allow SSH access into their machine should
> | consider:-
> | 
> | chkconfig --list|grep ssh
> | chkconfig sshd off
> | service sshd stop
> | 
> | Long, not easy to guess and totally beyond the reach of dictionary
> | attacks, passwords for Root are absolutely essential. Security begins
> | with a minimum password length of 12 characters for ALL users.
> 
> Good advice for sure, but not allowing password log in through SSH at
>  all, instead relying on Public/Private keys (preferably those with
>  passwords), would be much better.

Doing that already. I never said my posting contained everything I do.

> | Rootkits are another essential.
> 
> Yes.  I love it when my machines have rootkits!  I think you meant
>  rootkit detectors. LOL.

Agreed :-)


> | There is a real war on. No sensible person lays down and lets the
> | enemy
> | walk all over them. Constant and widespread defence is vitally
> | important. Every day I see evidence of many hacked computers all
> | around
> | the world. It persuades me to think many admins are simply incompetent
> | -
> | they seem to use Windoze.
> 
> Admins are not the incompetent ones.

Some clearly are. Allowing machines to be used to send spam and launch
web hacking attacks is something no competent admin should do. Admins
first job, these days, is to make their machines secure and invasion
resilient.

>  The users are!  Any decent admin is going to ensure that there are
>  the most layers and defensive  systems in place to ensure a level of
>  security that doesn't require  the *USERS* to be rocket scientists.

Don't blame ignorant users for the omissions of the security responsible
admins !

>  Security is all about balance  not magic bullets.  Having systems in
>  place that protect the systems  while not getting terribly in the
>  way.  This BS about Windows  (Windoze, Window$, etc) is just that BS. 
>  I know many *VERY GOOD*  Windows admins.  A bad admin is a bad admin
>  no matter what platform  you put them in front of.

Security these days is not about an abstract illusion called 'balance'.
It is about vigilant and vigorous defence because there is a real war
going on every minute of every day. 

Most hacked/compromised machines are Windoze especially servers.


> | A professional qualification in basic server security would be a
> | useful attribute.
> 
> A basic qualification to operate a computer would also be nice.  Sad
>  thing is, there is no such thing.

Employers will welcome learning their computer staff have a Computer
Security qualification. Eventually it should be more difficult for those
lacking it to get jobs. 

Whilst Windoze is primarily a system for playing-on, rather than doing
serious work, your comment 'A basic qualification to operate a computer
would also be nice.' is never going to happen.

-- 
With best regards,

Paul.
England,
EU.