-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wade Curry wrote: > Considering your conscientious approach to security, your response > rather surprises me. Sounds more fatalistic than I would've > expected.
You only have to screw up once. A year or two ago my step father whose name is "alvin" changed his password to something apparently easily guessable. Oops. That wasn't even my screwup but an automated brute force password attack got in anyhow. The previous intrusion before that was when ssh had a remote root exploit a couple years earlier. Way back when I started using Linux a friend of mine rooted my box with a sendmail exploit. Sure sendmail sucks but I didn't know it at the time as many newbie Linux users would not so that counts too. A few months ago we had a PHP based webapp exploited and a fishing site put up on one of our machines at work. Oops. Normally I avoid PHP apps but that was a pre-existing company required app. I am quite conscientious when it comes to security and it still isn't enough! My systems are still quite usable and not exactly inconvenient to use so I obviously need to implement more restrictive controls on my systems. SE Linux is one of my best options. It would have stopped all of these attacks except the brute force password attack. I should probably be cracking my own passwords every day to root out weak ones but I'm not sure I want to dedicate so much cpu time to that. > How long is long enough for a server to be cracked? It seems like > an awful lot of the stories I've heard involve a machine that was > cracked before all the security components were in place. Long enough for an exploit to be discovered in some service you are running? Long enough for one of your users to use an insecure network connection and get their password sniffed? Long enough for one of your users to choose a bad password? Or perhaps to give it out to someone untrustworthy even though that is normally against policy but happens anyway? > How many intrusions would you expect to see over the course of... > let's say 2 years - for any given number of publicly available > installations? I don't know. It can vary wildly. - -- Tracy R Reed http://ultraviolet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFAQWO9PIYKZYVAq0RAiX7AJ9MnRPGpLCsMyf0bZ9ZPqEhVG78rACglNwK 9Th89NK8u5zguw17QUlbzP4= =scor -----END PGP SIGNATURE----- -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
