[CentOS] Re: Unknown rootkit causes compromised servers
on 1/29/2008 3:50 AM Jim Perrin spake the following: On Jan 29, 2008 5:52 AM, mouss [EMAIL PROTECTED] wrote: Jim Perrin wrote: Along the lines of staying safe, now is probably a good time to check your password policies. 1. Don't allow root access to ssh. (modify /etc/ssh/sshd_config) why isn't this the default? Taking an educated guess on this one, I'd say to allow configuration after a remote install. 2. restrict root logins to only the local machine. (modify /etc/securetty) 3. Limit users with access to 'su' to the wheel group (use visudo and also modify /etc/pam.d/su) same question here. For this one I'd guess that it's because by default folks don't get added to wheel. So if an admin forgets to add his own user account, he can no longer gain root with 'su'. He has to walk his happy ass to the console to log in. Everything about the *nix culture points to not walking anywhere except possibly to a pub :-P You mean I have to walk to the pub, too? ;-D -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Unknown rootkit causes compromised servers
on 1/29/2008 8:39 AM Chris Mauritz spake the following: Scott Silva wrote: You mean I have to walk to the pub, too? ;-D I'm sure somebody somewhere has written a 1 line perl script (and printed it on a T-shirt) that can magically make beer appear in your hands upon execution. :) I tried grep beer and the system went off looking for some. I had to send a break before it would quit looking! I guess I taught it right! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Unknown rootkit causes compromised servers
on 1/29/2008 8:00 AM Chris Mauritz spake the following: Milton Calnek wrote: If you don't like the defaults, get anaconda to change them for you. Or write a script that you run shortly after install to make the changes for you. That would be pretty amazing if at the end (or at the beginning) of the install there was some checkbox that said something to the effect of: Would you like to maintain compatibility with upstream security defaults or would you like to follow our more sensible recommendations instead? And if the user chooses the latter, a much more secure default configuration could be applied. That might go a long way towards helping non-wizard folks to enjoy some measure of additional protection by default. Just a thought. But again, that breaks upstream compatibility. Besides, all of you know that there are people that click yes on every dialog box without reading them. I swear that if you added a dialog box that stated their firstborn would be sacrificed to the IT gods, and recorded the answers, you would get a large percentage of yes clicks. And most of those would be unintentional. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Unknown rootkit causes compromised servers
on 1/29/2008 10:41 AM Johnny Hughes spake the following: David Thompson wrote: Michael A. Peters wrote: I have never understood this. If I have a good, strong password that nobody knows, how is changing it to another one an improvement over what I already have? I agree with you. For user accounts, changing one strong password for another gains you nothing, and may cause people to start writing things down, or choosing trivial passwords which still meet the password strength criteria, or whatever, actually weakening security. However, if you have admins who come into or leave employment, changing privileged account passwords (read: root or equiv) is a necessary activity. I disagree with this too, changing one strong password for another gains you plenty if someone has compromised the initial one. The purpose of changing strong passwords is so that if someone has been fortunate enough to use some kind of method to get a password, they loose access again after the new password change and have to start over at the beginning to get back in. This gains you plenty if someone who is unauthorized losses access. If you are dealing with regular users, Bill will give Ted a password for one item when Bill goes on vacation since it is much easier than getting the IT weenies to change the access that Ted has ... besides he only needs to login one time while Bill is on vacation. However, if Bill never has to change his password then Ted has Bill's access forever. Then of course there is the brute force guessing, etc. Changing passwords at regular intervals is more secure than keeping the same passwords. If I ever need to give root access to somebody else, I change the password before I give it out, and change it again after. Just in case I got lazy and used it somewhere else. Sometimes you get busy or just plain forget. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos