-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/06/2011 03:21 AM, Aleksandar Ivanisevic wrote: > > > On 05/05/2011 06:57 PM, Luke S Crawford wrote: > >> but yeah. I like to avoid jelly donut security as much as practical. >> For me, the "trusted network" is something I can almost entirely get rid of. > > Practical is a matter of definition and in my book it is always a > product of usefulness and price. Do you really want to spend any time > and resources (read: money) to run VPN from the load balancer to the > frontend server just because its easy(er) when most of the breaches > happen by users picking up malware? Sort out the low hanging fruit first.
Whatever it is its a trade off between work/convenience and risk. As for restricting ssh shell commands I like to use authprogs perl script wrapper. http://www.cmdln.org/2008/02/11/restricting-ssh-commands/ - -- Nick Anderson <n...@cmdln.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNxAONAAoJEO89q5kwvK+dg8oH/ipx1nuxmY6N8n3a9+bbOLum 9effvY5uOZszPwn7MTzW0iGq6gviYQLCRpDzPDY+w/nV3PuyjbCz+Qn2MuiXIb4h lftZe552QqWJrhqnGgxttGOQQuMDx13wVouUVs2hRxRrOiUrH3GHTd4XWpgC91th 7v7xMbLAiK7b96uDhG9yjXkoTqPgo4bwRtEqsWwTW7QE2VDElt19B3TXfQINqiy7 zLhrPGA3WU/x6SYIzLJRlq3iwAfEOH/WgbghtGK98SR+jA+SAHeqIv268LRJIuei aDG766lFC28BCZCKIuXcPgGbFSqiMP78gA7I0Z9gQftW5dxe4cHFo9Edr32W7BI= =36T7 -----END PGP SIGNATURE----- _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
