Security basics

Tod Merley todbot88 at gmail.com
Fri Oct 5 02:17:30 UTC 2007 

On 10/5/07, Jonathan Underwood <jonathan.underwood at gmail.com> wrote:
> On 04/10/2007, Tod Merley <todbot88 at gmail.com> wrote:
> > On 10/4/07, Alan M. Evans <fedoralist at alanevans.org> wrote:
> > > On Thu, 2007-10-04 at 00:26 +0100, Jonathan Underwood wrote:
> > > > On 03/10/2007, Alan M. Evans <fedoralist at alanevans.org> wrote:
> > > > > Keep your SSH and your "real password" and sleep like a baby. As for me,
> > > > > I won't trust SSH alone. I employ other methods, including rsa keys,
> > > > > special iptables rules, and SELinux, to enhance the security of my
> > > > > system. (For the record, I run SSH on the standard port, despite the
> > > > > fact that I claim it would enhance security further.)
> > > > >
> > > >
> > > > I'd be interested to know what SElinux policy changes you've
> > > > implemented to add further security to sshd?
> > >
> > > None, actually. Sorry if I was misunderstood. I merely mentioned SELinux
> > > because I'm aware that Karl doesn't think it's useful and I do because
> > > of the "layered security" model that I was discussing. Karl was saying,
> > > in effect, that SSH and a "good" password were enough, and that's why I
> > > was mentioning layered security.
> > >
> > > In retrospect, it probably shouldn't have been lumped in with the rsa
> > > keys and iptables rules.
> > >
> > > (Also, Karl may not have anything against SELinux. I just made that
> > > statement without researching the list history because in my mind I
> > > lumped him in with the cabal of anti-SELinux guys. That impression may
> > > be incorrect.)
> > >
> > > --
> > > fedora-list mailing list
> > > fedora-list at redhat.com
> > > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> > >
> >
> > Hi Alan!
> >
> > With SSH and similar popular connection tools I would like to see a
> > utility which sets up a client on the machine seeking the connection
> > which talks to a server on the machine being connected to.  The
> > utility would use a customized "query / response" protocol on a
> > non-standard port to turn on the connection tool (e.g. SSH) and
> > establish that the connection to be made on a random non-standard port
> > the identity of which is communicated by a custom encrypted packet.
> >
> > The original query to the server would need to be proper to illicit a
> > response.  So, the keys to the box, and the location of the locks are
> > only known to the user.
> >
> > Anyone already doing this?
> >
>
> I think you're describing port knocking - read
>
> http://en.wikipedia.org/wiki/Port_knocking
>
> and look at the links at the end.
>
> J.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
Hi Jonathan Underwood!

Yes, exactly what I was thinking of -  developed, elaborated, and expanded.

Thanks Much!

Tod

More information about the fedora-list mailing list