On Wednesday 03 October 2007, Karl Larsen wrote: > This whole line of reasoning is false. I don't care if Hacker, the > bad guy, gets on my computer with ssh. He then needs to come up with a > valid login name and password. If he fails at this in some set time it > all quits. > Until you can convince me that my system is at risk from ssh when > using a real password I am going to sleep well. Go to www.cert.org and search for "SSH vulnerability" and understand that, while those holes have been patched, there will be other holes found. Buffer overflows impact your security. SELinux does mitigate their impact to a degree, as long as it's enabled and set to enforcing; but in the specific case of ssh that won't help a great deal. To summarize the holes: over the years, remote execution vulnerabilities due to program bugs have been found and patched; the fact that there have been bug of this nature found implies strongly that there are unpatched bugs in the code now that have not been discovered (or if they've been discovered, the knowledge hasn't been disseminated); holes must be assumed. Security is never absolute; and is best done in layers, and as a continuous process. I'm not going to say that I know everything there is to know about it; no one does. Nor am I going to say that my systems are invulnerable; no ones are (unless they're turned off and unplugged). But I have learned a few things in my several years experience in the field; layered security is one of them. The degree of usability of a system and the degree of security of a system are inversely proportional. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 (828)862-5554 www.pari.edu
