[olug] Security

Phil Brutsche phil at giedi.obix.com
Sat Jan 5 00:29:20 UTC 2002


A long time ago, in a galaxy far, far way, someone said...

> Wrong Brian....sorry the Brian I was referring to knows what I'm talking
> about...Also I'm glad that this has turned into a decent thread on
> security...what do we think is the risk factor of a computer whose only
> outside access is through SSH...but it still has internal network access how
> big of a risk factor is it to the internal network?

If it's connected to the internet and your internal network treat it as a
firewall.

> How about if that internal network were connected to someone else's
> private network over a VPN...would that person have reason to be
> concerned...as on the flip side the person running the SSH machine
> would have cause for concern over a Win2k Server having access to the
> internal network and thus his over the VPN....aren't they both equally
> bad security risks or is one worse than the other...Then what about
> running Sendmail, and Apache on a machine hooked also into the private
> network where does this fall?

Depends.  How are those services configured?  In RH7.2 Sendmail listens
only on 127.0.0.1 by default.  In that configuration, what's your risk?
Ditto for Apache.

> I mean can we really be secure with any external access

No

> and where would people rank these risks 1-3, 1 being the highest risk
> and 3 being the lowest...here is what I say:  1)  Apache and Sendmail,
> 2) SSH and 2) Win2k....i say the last two are lower because of all the
> exploits for sendmail...but I think SSH and Win2k are equally bad what
> do you all think?

Not necessarily.  You're leaving out all the ways a system's configuration
can vary from the default, as well as program versions and compile time
options - OpenSSH > 2.3 isn't vulnerable to the recent SSH exploits, for
example.  Another example: Sendmail versions 8.9 and 8.10 aren't
vulnerable to the recent 8.11 root exploit.

Thus, I would put the rankings as:

Apache 3
Sendmail 2
SSH 2
Windows 1



Phil


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at bstc.net - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at bstc.net
or `mail olug-unsubscribe at bstc.net < /dev/null`
(c)2001 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_




More information about the OLUG mailing list