[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org
|
From: |
Bernie Innocenti |
|
Subject: |
Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade |
|
Date: |
Sun, 20 Feb 2011 19:53:03 -0500 |
On Sun, 2011-02-20 at 18:16 +0100, Jim Meyering wrote:
> > How about bouncing on fencepost, then?
>
> If you're concerned enough to be restricting access to the ssh port,
> routing ssh traffic through fencepost could be seen as counterproductive.
> Many people have access to fencepost.
You're right, but it's still better than the current situation.
Note that we firewall ssh on *all* our machines, not just Dom0. The idea
is to minimize the attack surface by exposing only the ports that are
required for production. If it sounds excessively prudent, consider that
the FSF is a high-profile target for crackers around the world.
> I'd go with fwknop:
>
> http://www.cipherdyne.org/fwknop/docs/SPA.html
>
> i.e., keep the ssh port closed, and open it momentarily only upon
> receipt of a packet whose contents is GPG signed by someone we'd let in.
This is a valid defense line only for automated scanners. It doesn't
address the original problem (one of the authorized keys leaking).
--
// Bernie Innocenti - http://codewiz.org/
\X/ Sugar Labs - http://sugarlabs.org/
- [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Sylvain Beucler, 2011/02/16
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/16
- Message not available
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Sylvain Beucler, 2011/02/20
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/20
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/20
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade,
Bernie Innocenti <=
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/22
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Michael J. Flickinger, 2011/02/22