[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ossig] When is secure, secure enough?

To: ossig@mncc.com.my
Subject: Re: [ossig] When is secure, secure enough?
From: "Mukhsein Johari" <mukhsein@email.com>
Date: Wed, 22 Jan 2003 14:03:23 +0800
Reply-to: ossig@mncc.com.my
Sender: owner-ossig@mncc.com.my

Thanks everyone for your input. I forgot about IDS.
I can see that computer security can be a whole semester or 2 worth of courseware. Which means many many systems out there are terribly vulnerable considering how many people have actually learned all this stuff. It's certainly not something you can learn in a week or 2.

I guess here, a reasonably good base os can really help. For example, OpenBSD will have most holes covered while you're learning the ropes. This is on contrast to for example Red Hat's (perhaps older) releases - have all services possible under the sun and run them on first boot onwards.

> Depends on what you want, there are many different type of security. 
> Physical, System and off course on the human level.

Right - this is assumed. Sorry, should have made that clear. I was thinking: given that the box is in a secure place, few humans have access etc. But the box needs to be on the internet.

> can be cracked. However, make sure you got consent form management 
> first.  You might get into trouble for running it in your organization, 
> depending on the policy.

I don't have to worry too much about this since there are _very_ few  users with login/terminal access - less than 5.

> 
> > - use encrypted passwords
> 
> Password by default is hashed not encrypted. Some system today still 
> uses the crypt function which is basically DES.  Most out of the box 
> linux distribution only hash up to 8 character. You can however play 
> with pam and change this default policy to go beyond that by using MD5 
> or SHA-1.  

A good thing I'm using FreeBSD - I'm switching to blowfish systemwide.

> > - do not use unsafe services like telnet
> disable telnet on your system.

It was not even on to begin with. BSD rocks. :-)
Sorry for the advocation here but in my limited experience, I have found FreeBSD (and netbsd - have not tried openBSD seriously) to be much easier to admin than the linuxes I've used. (mandrake, red hat)

> 
> IDS and a security policy would be nice. From my experience, you need 

I'll need to seriously look into IDS.

> is actually a very good idea. A good security policy is the one that 
> everyone can accept or at least understand the implications.  You can 

I like to stick to the KISS principle. The simpler the policy the easier it is for folks to do it properly and consistently.

> 
> Sometimes an obscure OS is the one that will be least likely to be 
> hacked. Let's say if you run Apache on AtheOS. Chances are few people 
> would want to hack into a system like this. Most crackers today are 
> just script kiddies and know very few things in between.

I know.

> Other things I would do is to get other sys admin you trust to audit 
> your site.

Ah, thanks for the suggestion. I'll do this.
Thanks also to Chris for that long list of suggestions. The trick to establishing patterns is that you'd need a certain long-ish time period to establish them! Not something you can do right away...


Regards,
Mukhsein Johari

-- 
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Meet Singles
http://corp.mail.com/lavalife


------------------------------------------------------------
To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message

Prev by Date: Re: [ossig] IDC: Windows cheaper than Linux
Next by Date: [ossig] LinuxWorld Malaysia 2003
Previous by thread: RE: [ossig] When is secure, secure enough?
Next by thread: [ossig] LinuxWorld Malaysia 2003
Index(es):
- Date
- Thread