[CentOS] [OT] old kit uses, and security stuff (was:Re: Is it okay?)

Fri Jan 21 20:16:55 UTC 2011
Lamar Owen <lowen at pari.edu>

On Friday, January 21, 2011 02:35:11 pm m.roth at 5-cent.us wrote:
> I have a friend with several RISC 6000's, and of course his MicroVAX. You
> had a PDP-8? When I was taking an o/s class in the mid-eighties, I was on
> a PDP-11/780. *Nice* machine, running RSTS, I think it was.

Hmm, I wonder....nope, simh isn't in EPEL 5 or 6 yet (it's available for F14).  See simh.trailing-edge.com and you'll see why I mention it.... I used simh's MicroVAX module to rescue some disk images from the VS4000's we have (they are controllers for our 7,000 pound 20x20 microdensitometers used for photographic plate scanning; see http://www.pari.edu/library/apda/rooms/ for a little bit of info about what they're for).

We want to replace the VS4000's with Linux box(en); since the interface to GAMMAs I and II is CAMAC-over-SCSI plus IEEE-488-over-RS-232 (CAMAC for the digitizer ADC and GPIO; IEEE-488 for the Agilent/HP laser interferometer servo system for the platen drive), I'm considering using the SGI box to control them; if not the SGI box, any generic CentOS box with RS-232 or IEEE-488 and a SCSI adapter will work.  (GAMMA = Guide star Automatic Measuring MAchine; used at Space Telescope Science Institute (STScI) to generate the guide star catalog for use with Hubble, as well as for generating the one arcsecond digitized sky survey 102 volume CD set.

> Have you looked into Bastille Linux? It's not a distro, it's a set of
> scripts to harden a system.

Yes; I have tried it out, but it's just another one of those things that I periodically look at and say 'I need to be doing that....'  I think the first time I looked at it was back before RHEL3, maybe in the RHL7.2 timeframe.  It's on the list; somewhere between 'Implement PacketFence (implies writing a module for Cisco Catalyst 5500 and Cisco 7600 and Catalyst 8540 and Catalyst 2948G-L3 and the other old but working oddball Cisco switches and routers in my network)' and 'Implement IPv6 (once the ISP gives me the prefix)'.  That is, pretty high up the list, just not in the execution queue yet.

> <snip>
> > about it, too.  Now I don't allow outbound port 22 to just anywhere (among
> 
> Ah, no. When I've had a home network with the old machine running, the
> *only* place it would accept ssh from was the inside NIC.

That's the point; it was an outbound *to* someone else's port 22 brute-forcer.  I can count on one hand the number of people who have come here and had me add their server to the 'outbound to port 22' permit ACL on the Cisco border router(s).  That way, even when someone gets in, they can't get out, at least not on that port.  Yeah, I said when, not if.  Someone at some point in time will get in; when that does happen I want to try to mitigate the potential for damage.

That is, since I know I cannot possibly prevent all ingress attempts, I can at least make the success as useless as possible.  That's part of the reason PacketFence is high on my To Do list.
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu