Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

OT: SSH and secure servers, WAS: XML / dialects

 [1/2] from: bwilson::ihpva::org at: 7-Jan-2002 12:13


On Mon, 7 Jan 2002, Jason Cunliffe wrote:
> A good example, I have been grappling with very recently: A web site > development has had its security compromised. From now on the site needs > secure client access tols such as SSH2 Telnet and better FTP.
SORRY - not much REBOL content here but I think this is worth saying in response... There are numerous totally free ssh and ssl cross platform solutions. See http://www.clickshift.com/ssh/ for some info + links on ssh. BUT they only in keep data from being sniffed as it passes over the 'net. I am a REBOL newbie so it's hard for me to see how it fits into the picture. I bet your compromise came by exploiting a buffer overflow or some stupid scripting configuration problem. Would this not include badly written REBOL scripts? IMHO you have much more to worry about from security holes unintentionally installed by yourself (NEVER happens to ME of course! HA HA) and by the providers of your various server tools such as BIND, Apache, MS Exchange and so on. If you really are serious about bolting down the lid on a server, look at HP secure linux. If you are a tightwad like me also look at the NSA secure server project. I have not yet deployed HP OS yet on an exposed server. Risk versus cost and complexity and all that. SOON though! -- Brian Wilson Santa Rosa, California 707-576-7649

 [2/2] from: jason:cunliffe:verizon at: 7-Jan-2002 15:55


Brian Wilson <[bwilson--ihpva--org]> wrote:
> There are numerous totally free ssh and ssl cross platform solutions. > See http://www.clickshift.com/ssh/ for some info + links on ssh. > BUT they only in keep data from being sniffed as it passes over the 'net.
Hi Brian Thanks.
> I bet your compromise came by exploiting a buffer overflow or some > stupid scripting configuration problem. Would this not include badly > written REBOL scripts?
It could indeed, especialy as people are tempted to adjust permissions to get REBOL or other cgi working. Once it is they tend to forget and move on. As it turns out the compromise came via some skilled peopel exploiting SSH1 weaknes. You can read about it here: http://www.incidents.org http://www.incidents.org/diary/diary.php?id=138
> IMHO you have much more to worry about from security holes > unintentionally installed by yourself (NEVER happens to ME of course! > HA HA) and by the providers of your various server tools such as BIND, > Apache, MS Exchange and so on.
Yes. As someone said/wrote "security is not a product, its a process." My main security argument has been for that we need very careful use of permissions. People want to believe in a golden tool/bullet. I inherited sysadmin role for a very messy undocumented system. Decided to take it right down and rebuild from scratch. The major part of the learning curve, no matter what OS, and or whatever versions of each element, still all comes down to the user/group/other permission structure. How that is planned and maintained. I welcome any advice, good reading especially to help the strategic planning stages. I am hoping that REBOL will beocme a valuable tool in this process. A big question is how to use it well for secure custom remote sysadmin. Working between REBOL/Command on the server and REBOL/ViewPro and/or REBOL/Command on clients. Does anyone have any experience with this? ./Jason