If someone gets root on one of your boxes, all bets are off as there's a very good chance that they'll get root on another one of them (by keylogging passwords, brute forcing the password on a sudo enabled account, passwordless ssh keys, hijacking a session etc etc)
Wash, rinse, repeat.
Before you know it your whole DMZ is rooted (in more than one sense).
In short: - If you find a compromised box on your network, assume there's more than one and order pizza... you're in for a long night. - Segregate your networks so if someone, say, gets at your DMZ there's no way to get into your internal or other production network i.e. no ssh or accessible services on your firewall machines on the DMZ interfaces.
i.e. It's not just an issue with ssh.
Re:Vast performance improvements.
on
FreeBSD 6.0 Released
·
· Score: 2, Informative
Performance on OpenBSD is important but it's not the primary focus. If someone put an OpenBSD mail server in place knowing performance was going to be critical, then they chose the wrong system. If they chose it with security as the most important criteria then the move to FreeBSD will mean that this area isn't as strong as it was with the old system.
We all want the best tool for the job but the poster seems to imply that in moving from OpenBSD to FreeBSD there's a win in the performance arena without any loss elsewhere. OpenBSD focusses on security. On top of the system-wide security features, the in-tree OpenBSD sendmail instance has lots of OBSD specific patches (http://www.openbsd.org/security.html). For example, when OpenBSD chose their MP implementation, they deliberately chose biglock because of it's (relative) simplicity. This is important because the OpenBSD codebase is actively audited. The fine grained locking in the FreeBSD MP implementation is obviously going to blow OpenBSD away but at the cost of simplicity (bugs and security issues are harder to find in complex code).
I had this too. The problem showed up for the first time when I was playing around with timing for the screensaver. It then went away when I set the screensaver to come on after the computer went to sleep i.e. sleep after 5 minutes of inactivity. turn on the screensaver after 15 minutes of inactivity.
I live in Morocco, in a large city, and wanted to share an internet connection with someone in my neighbourhood (I don't have a phone line in my place). Do you think there were any WAPs in the vicinity of my apartment? No... not one...
You want less WAPs, I want more. Interesting perspective...
Slashdot Mirror
Adaptec don't provide documentation OpenBSD Clashes with Adaptec In Quest for Docs and LSI abuse the patent system.
So who's left?
If someone gets root on one of your boxes, all bets are off as there's a very good chance that they'll get root on another one of them (by keylogging passwords, brute forcing the password on a sudo enabled account, passwordless ssh keys, hijacking a session etc etc)
Wash, rinse, repeat.
Before you know it your whole DMZ is rooted (in more than one sense).
In short:
- If you find a compromised box on your network, assume there's more than one and order pizza... you're in for a long night.
- Segregate your networks so if someone, say, gets at your DMZ there's no way to get into your internal or other production network i.e. no ssh or accessible services on your firewall machines on the DMZ interfaces.
i.e. It's not just an issue with ssh.
Performance on OpenBSD is important but it's not the primary focus. If someone put an OpenBSD mail server in place knowing performance was going to be critical, then they chose the wrong system. If they chose it with security as the most important criteria then the move to FreeBSD will mean that this area isn't as strong as it was with the old system.
We all want the best tool for the job but the poster seems to imply that in moving from OpenBSD to FreeBSD there's a win in the performance arena without any loss elsewhere. OpenBSD focusses on security. On top of the system-wide security features, the in-tree OpenBSD sendmail instance has lots of OBSD specific patches (http://www.openbsd.org/security.html). For example, when OpenBSD chose their MP implementation, they deliberately chose biglock because of it's (relative) simplicity. This is important because the OpenBSD codebase is actively audited. The fine grained locking in the FreeBSD MP implementation is obviously going to blow OpenBSD away but at the cost of simplicity (bugs and security issues are harder to find in complex code).
"Star Wars Episode III: Revenge of the Sith Trailer"?
So the Sith have trailer parks too?
I had this too. The problem showed up for the first time when I was playing around with timing for the screensaver. It then went away when I set the screensaver to come on after the computer went to sleep i.e. sleep after 5 minutes of inactivity. turn on the screensaver after 15 minutes of inactivity.
I live in Morocco, in a large city, and wanted to share an internet connection with someone in my neighbourhood (I don't have a phone line in my place). Do you think there were any WAPs in the vicinity of my apartment?
No... not one...
You want less WAPs, I want more. Interesting perspective...
Your honour, 'It's the constitution... it's Mabo ...it's the vibe'