1 |
On Sunday 17 February 2008, Grant wrote: |
2 |
|
3 |
> > What wasn't mentioned is that SSL covers transport encryption, not |
4 |
> > necessarily application security. What that means is if you open IMAP, |
5 |
> > SMTP, CUPS, and SSH daemons over the internet then you also need to keep |
6 |
> > (better) track of security vulnerabilities found in those applications, |
7 |
> > and fix them as needed. SSL alone won't help you there. Whereas if |
8 |
> > you're only running, say OpenVPN over the Internet then that's the only |
9 |
> > application you gotta look out for. |
10 |
> > |
11 |
> > Also, doing things such as running IMAP over SSL using accounts with |
12 |
> > weak passwords doesn't gain you much either. |
13 |
> |
14 |
> Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' |
15 |
> generally enough as far as tracking security vulnerabilities? |
16 |
|
17 |
It will sure help. So will strong passwds, denyhosts, or fail2ban and |
18 |
equivalents, a well configured IDS, etc. and close monitoring of the log |
19 |
files. Let's be honest, a machine that runs services has the potential to |
20 |
get cracked one way or another. A well configured machine has a |
21 |
disproportionately small probability of getting cracked, than your average |
22 |
WinXP IT illiterate user around the world. So, it's really a matter of how |
23 |
paranoid you would like to get about it. |
24 |
-- |
25 |
Regards, |
26 |
Mick |