A good mail about security from a discussion about firewalls that have been going on in the SVLUG list
-------- Original Message -------- Subject: Re: [svlug] Firewalls? Date: Tue, 23 Jan 2007 23:47:47 -0800 From: Rick Moen <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Quoting Raj Shekhar ([EMAIL PROTECTED]): > I did not get the part about the "wrong problem". Can you explain what > you mean by that ? Glad to. Security measures aim to handle anticipated _threat models_ -- scenarios of harm: Logically, before you can design (or pick) a security measure to implement, you need to articulate what threat you're trying to protect against, why it's a threat, what's at risk, why it's a more-significant threat than other risks you could be worrying about, etc. All of those measures you spoke of appear to assume implicitly that brute-force dictionary attacks across the Internet against your sshd -- e.g., the dozen bursts / day of about 23-30 "joe"-username login attempts each that typically hit every public IP on the Internet -- are a serious threat. Are they? For the sake of discussion, imagine that some attacker spends his ssh-attempting resources against only _your_ IP, and attempts to work constantly at progressing in some fashion through the userspace of all possible Linux usernames and passwords. (This never actually happens, but could in theory.) Bear in mind the considerable lagtimes within and between failed attempts. So: Guesstimate how long, on average, it's going to take to crack one of your login accounts that way. (For the sake of discussion, ignore the fact that your /var syste growing to stupendous sizes because of the sudden mountain of entries in /var/log/auth.log, which in fact would either be a tipoff or knock your system over.) It's pretty much going to be impossible for the attackers to get into your system that way, within geologic timescales -- unless you or one of your users happens to have used some unbelievably easy to guess username/password pairing. You might be able to see this coming: If your system allows users to employ some unbelievably easy to guess username/password pairing, isn't _that_ your actual fundamental problem, and not the doorknob-twisting so-called "attacks"? In my personal view, measures like you described (and I know such recommendations are made really, really frequently, so I'm not intending to single you out) lack any real point because they designate as a serious threat something that, realistically, is not actually significant at all, on any halfway reasonably run system. You could actually predict that by looking at what those ssh attackers typically try: They (or rather, their scripts) attempt only about a score of really lame username/password pairs, attempting to find some basically wide-open system, and the give up and move on to the next IP. Unfortunately, many Linux people don't stop and do threat analysis before designing and implementing suggested remedies. That's how we get massively overbuilt, over-complex systems that are aimed against things that aren't even really threats, while other _real_ threats don't get addressed for lack of time and resources. Security's a difficult problem, and also requires an attitudinal approach that's alien to most people, including particularly programmers. Here's an example: In cryptography, all other things being equal, the newest cipher designs from respected professional cryptographers should be expected to be stronger than the older ones, right? After all, the new designs are based on learning from the experience in designing and implementing the older ones. (We're counting, here, only older ciphers that haven't been cracked.) However, the exact opposite is actually the case: Older uncracked ciphers merit much greater trust than do newer uncracked ciphers, because they have a much longer history of surviving inventive, determined attacks of all sorts from other cryptographers. E.g., Bruce Schneier will tell you that his relatively new Twofish cipher is _probably_ a really good example of symmetric crypto, but is way too unseasoned to put much faith in yet, and that you're much better off relying on 3DES or Blowfish. And I predict that nine out of ten coders would tell you the newer ciphers will tend to be better. _______________________________________________ svlug mailing list [EMAIL PROTECTED] http://lists.svlug.org/lists/listinfo/svlug -- raj shekhar facts: http://rajshekhar.net | opinions: http://rajshekhar.net/blog I dare do all that may become a man; Who dares do more is none. _______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/