[Gllug] honeypots and iptables redirects?

[Bruce Richardson]

On Sun, Sep 04, 2005 at 11:12:48AM +0100, Doug wrote:
> Russell Howe wrote:
> >If they were lax enough to have an old ssh installed, or weak passwords,
> >or enabled root login over ssh on an internet-accessible machine, then
> >the chances of them reacting sensibly to being told that their machine
> >is compromised are pretty low, I expect.
> 
> At the risk of putting the cat amongst the pigeons (in fact, I'm donning 
> my flame-proof long johns now), I don't think having remote root logins 
> enabled over ssh makes any real difference to security, unless you only 
> log in as root over a physical console (or you have a poor root password 
> of course).

There is another sense in which it contributes toward security, in that
it helps establish accountability.  If a machine has to be logged into
with user accounts, with admins having to then su to root, use sudo or
whatever, then the audit trail is much more clear.  This is not a
trivial thing.

> 
> If someone can gain a normal user account on a machine, then you have to 
> assume that they can get root, so stopping remote root logins doesn't 
> make much difference.

Security involves incremental hurdles, so dismissing any one measure
simply because it isn't perfect isn't valid in itself.

-- 
Bruce

It is impolite to tell a man who is carrying you on his shoulders that
his head smells.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20050905/a7d53e1f/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug