Lamar Owen wrote:
On Wednesday 03 October 2007, Karl Larsen wrote:
This whole line of reasoning is false. I don't care if Hacker, the
bad guy, gets on my computer with ssh. He then needs to come up with a
valid login name and password. If he fails at this in some set time it
all quits.
Until you can convince me that my system is at risk from ssh when
using a real password I am going to sleep well.
Go to www.cert.org and search for "SSH vulnerability" and understand that,
while those holes have been patched, there will be other holes found.
Buffer overflows impact your security. SELinux does mitigate their impact to
a degree, as long as it's enabled and set to enforcing; but in the specific
case of ssh that won't help a great deal.
To summarize the holes: over the years, remote execution vulnerabilities due
to program bugs have been found and patched; the fact that there have been
bug of this nature found implies strongly that there are unpatched bugs in
the code now that have not been discovered (or if they've been discovered,
the knowledge hasn't been disseminated); holes must be assumed.
Security is never absolute; and is best done in layers, and as a continuous
process. I'm not going to say that I know everything there is to know about
it; no one does. Nor am I going to say that my systems are invulnerable; no
ones are (unless they're turned off and unplugged). But I have learned a few
things in my several years experience in the field; layered security is one
of them.
The degree of usability of a system and the degree of security of a system are
inversely proportional.
Right this moment someone is trying to hack into THIS system. The
Internet traffic shows me this. I am growing tired of the ssh thing
since I'm a desktop user. This never needs ssh. I think I will turn it off.
--
Karl F. Larsen, AKA K5DI
Linux User
#450462 http://counter.li.org.
