Re: Dedicated server vs. VPS
On Mon, Mar 5, 2012 at 2:59 AM, Timh B wrote: > Hi, > > This should probably be discussed off-list, anyway - the one that has the > most dedicated resources and has the best security policy. Generally when > it comes to keeping the kernel/system tools updated it's all about your > own OS since it's usually "independent" from the hostnode. Except kernel > in the openvz-case where the provider is responsible of keeping the kernel > up to date. There will always be undiscovered holes in the kernel and/or > toolchain but a hoster that does not put their hardware nodes on the > internet is one step closer to good security. OpenVZ has nothing to do with it, all of them have that ability so specifically mentioning OpenVZ when Xen is like that and so is VMWare (to an extent I guess) is absolutely pointless. It's up to the provider to decide what type of VM you have, and the fact is that most of them chose not to give you access to the kernel because most of them know how many unknown exploits there are, and keeping the Kernel out of the VM space prevents kernel exploits (to a certain extent) but good providers give you the ability to select your kernel or kick it into a mode that allows you to use your own kernel. > There is no way you can "restrict" a hosters access to your VPS, that's > basically true for DS as well if you have the root-password in some sort > of control-panel or if the support has it for some reason. This is not true in any case, including a dedicated server. It takes but a minute and your drive to get access to your server, root password or not, adjusted grub bootloader or not. Saved in a control panel or not. This is a quite talked about subject when it comes to Linux, but it's not really a security problem for the most part unless you plan to get a laptop stolen or something, but there are clear ways to fix that problem. Unless that entire drive is encrypted and requires the password to even boot they can get into it anytime they want. Dedicated servers are no more secure then VM's when it comes to this. It does however make them harder to manage and recover in user error since they don't attach a TTY. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=3epspsk27x4ovqblllshuj+c0ejfp34ey6yz2q46w...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik wrote: > On 03/01/12 18:57, Russell Coker wrote: >> On Fri, 2 Mar 2012, Jordon Bedwell wrote: Run the command below. grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. >>> It returned 1, this happens on freshly installed Debian and Ubuntu too >>> though, tested it on Ubuntu too. >> http://etbe.coker.com.au/2011/12/31/server-cracked/ >> >> If you havd a sshd that is compromised in the same way as one was on one of >> my >> servers then Anibal's command will give an output of 0. >> >> I don't know what relevance this has to a discussion of OpenSSH logging >> though. >> >> I'd like to have OpenSSH log the email address field from a key that was used >> for login so I could see something like "ssh key russ...@coker.com.au was >> used >> to login to account rjc" in my logs. >> > >From what I know that information(the comment on the key) is not vary > secure, Joe could put Bob as his comment... > > However one could so a look-up on the key from a key-server and get the > email address that way. This is assuming that ppl are using there > gpg(email) keys for ssh. I don't know if the chroot idea is legitimate or not, but i went ahead and started a logger in /run/sshd/dev/log and there were still no logs for publickey denied, and if this idea was actually for sure true, why would it show successful logins in the log and not unsuccessful logins in the log? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=0waxekp_rjvcb72d9subel35q_9mp1ue5pvqonmkc...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 1, 2012 at 3:16 PM, Mike Mestnik wrote: > On 03/01/2012 02:51 PM, Aníbal Monsalve Salazar wrote: >> >> On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: >> >>> >>> The problem is I cannot get sshd to log publickey denied errors to >>> /var/log/auth.log so our daemons can ban these users. I want to know >>> what happened to messages like "publickey denied for [user] from [ip]" >>> I cannot get it to log those messages at all no matter the logging >>> level. >>> >> >> > > The chroot dosn't have a socket to log to... > Have syslog listen on something like: /var/run/sshd/dev/log There is no chroot. I hope I didn't imply there was or is one. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=2ZuwRdbGCTdgB4Wr7TfDVhHQwh9BDbWVctOBRvhNp=q...@mail.gmail.com
