On 10/5/07, Jonathan Underwood <jonathan.underwood@xxxxxxxxx> wrote: > On 04/10/2007, Tod Merley <todbot88@xxxxxxxxx> wrote: > > On 10/4/07, Alan M. Evans <fedoralist@xxxxxxxxxxxxx> wrote: > > > On Thu, 2007-10-04 at 00:26 +0100, Jonathan Underwood wrote: > > > > On 03/10/2007, Alan M. Evans <fedoralist@xxxxxxxxxxxxx> wrote: > > > > > Keep your SSH and your "real password" and sleep like a baby. As for me, > > > > > I won't trust SSH alone. I employ other methods, including rsa keys, > > > > > special iptables rules, and SELinux, to enhance the security of my > > > > > system. (For the record, I run SSH on the standard port, despite the > > > > > fact that I claim it would enhance security further.) > > > > > > > > > > > > > I'd be interested to know what SElinux policy changes you've > > > > implemented to add further security to sshd? > > > > > > None, actually. Sorry if I was misunderstood. I merely mentioned SELinux > > > because I'm aware that Karl doesn't think it's useful and I do because > > > of the "layered security" model that I was discussing. Karl was saying, > > > in effect, that SSH and a "good" password were enough, and that's why I > > > was mentioning layered security. > > > > > > In retrospect, it probably shouldn't have been lumped in with the rsa > > > keys and iptables rules. > > > > > > (Also, Karl may not have anything against SELinux. I just made that > > > statement without researching the list history because in my mind I > > > lumped him in with the cabal of anti-SELinux guys. That impression may > > > be incorrect.) > > > > > > -- > > > fedora-list mailing list > > > fedora-list@xxxxxxxxxx > > > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > > > > > > > Hi Alan! > > > > With SSH and similar popular connection tools I would like to see a > > utility which sets up a client on the machine seeking the connection > > which talks to a server on the machine being connected to. The > > utility would use a customized "query / response" protocol on a > > non-standard port to turn on the connection tool (e.g. SSH) and > > establish that the connection to be made on a random non-standard port > > the identity of which is communicated by a custom encrypted packet. > > > > The original query to the server would need to be proper to illicit a > > response. So, the keys to the box, and the location of the locks are > > only known to the user. > > > > Anyone already doing this? > > > > I think you're describing port knocking - read > > http://en.wikipedia.org/wiki/Port_knocking > > and look at the links at the end. > > J. > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Hi Jonathan Underwood! Yes, exactly what I was thinking of - developed, elaborated, and expanded. Thanks Much! Tod
