[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org
|
From: |
Bernie Innocenti |
|
Subject: |
Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade |
|
Date: |
Tue, 22 Feb 2011 10:29:15 -0500 |
On Tue, 2011-02-22 at 10:18 +0100, Jim Meyering wrote:
> Why?
> Isn't IP restrictions + (fwknop-and-alt-ssh-port|fencepost-for-a-few)
> simple and effective enough?
I see openvpn as a safer, simpler and more structured solution than a
per-server fwknop, but my opinion doesn't count because I won't have to
use this myself (I connect through the FSF internal network).
Whatever the other Savannah hackers prefer is fine with me.
> > employ openvpn to access the FSF internal lan from remote clients. We
> > could setup a separate VPN for the Savannah machines.
>
> If I had to bet the house on immunity to exploit of a tool, I'd prefer
> ssh over openvpn, though not by much. ssh is used/audited a lot more.
Of course I'm not proposing to *replace* ssh with openvpn.
> fwknop is tiny and doesn't add a whole new protocol and networking.
>
> One reason for IP restrictions is to limit vulnerability if a 0-day
> exploit appears. How would using openvpn mitigate that?
> Actually, adding openvpn probably more than doubles what they
> call the attack surface.
How so? The ssh ports would be reachable only from within the VPN. For
extra safety, the OpenVPN server could run on a separate gateway
machine.
> > This is true only for plain desktops and trivial servers that don't
> > require any major change to the default configuration. Every time I did
> > something serious, eventually I was forced to either turn off SElinux or
> > start programming in obscure-language-for-custom-policy-definition.
>
> I think you've just agreed.
> The vast majority of users do nothing that requires them
> even to know about the existence of SELinux, much less its "policy".
Agreed, but I wish that such a sophisticated security system could also
be applied to high-profile servers such as savannah.gnu.org or
lists.gnu.org (with a reasonable amount of effort).
> [ You know, we've had this conversation before. Have you
> tried again in the last year or so (F13 or F14)? If there's
> a tool that gives you particular pain wrt SELinux, look again...
> maybe someone else has already written policy for it by now. ]
Yes, the policy keeps improving for old software, but software keeps
changing, therefore SElinux is never going to become painless. For
instance, on a Fedora 14 machine I have, SElinux prevents gdm from
loading the .face file for my account.
--
Bernie Innocenti
Systems Administrator, Free Software Foundation
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, (continued)
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Bernie Innocenti, 2011/02/21
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/22
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Michael J. Flickinger, 2011/02/22
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade, Jim Meyering, 2011/02/22
- Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade,
Bernie Innocenti <=