savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org


From: Bernie Innocenti
Subject: Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade
Date: Sun, 20 Feb 2011 19:53:03 -0500

On Sun, 2011-02-20 at 18:16 +0100, Jim Meyering wrote: 
> > How about bouncing on fencepost, then?
> 
> If you're concerned enough to be restricting access to the ssh port,
> routing ssh traffic through fencepost could be seen as counterproductive.
> Many people have access to fencepost.

You're right, but it's still better than the current situation.

Note that we firewall ssh on *all* our machines, not just Dom0. The idea
is to minimize the attack surface by exposing only the ports that are
required for production. If it sounds excessively prudent, consider that
the FSF is a high-profile target for crackers around the world.


> I'd go with fwknop:
> 
>     http://www.cipherdyne.org/fwknop/docs/SPA.html
> 
> i.e., keep the ssh port closed, and open it momentarily only upon
> receipt of a packet whose contents is GPG signed by someone we'd let in.

This is a valid defense line only for automated scanners. It doesn't
address the original problem (one of the authorized keys leaking).

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/





reply via email to

[Prev in Thread] Current Thread [Next in Thread]