| 1 |
On Sunday 17 February 2008, Grant wrote: |
| 2 |
|
| 3 |
> > What wasn't mentioned is that SSL covers transport encryption, not |
| 4 |
> > necessarily application security. What that means is if you open IMAP, |
| 5 |
> > SMTP, CUPS, and SSH daemons over the internet then you also need to keep |
| 6 |
> > (better) track of security vulnerabilities found in those applications, |
| 7 |
> > and fix them as needed. SSL alone won't help you there. Whereas if |
| 8 |
> > you're only running, say OpenVPN over the Internet then that's the only |
| 9 |
> > application you gotta look out for. |
| 10 |
> > |
| 11 |
> > Also, doing things such as running IMAP over SSL using accounts with |
| 12 |
> > weak passwords doesn't gain you much either. |
| 13 |
> |
| 14 |
> Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' |
| 15 |
> generally enough as far as tracking security vulnerabilities? |
| 16 |
|
| 17 |
It will sure help. So will strong passwds, denyhosts, or fail2ban and |
| 18 |
equivalents, a well configured IDS, etc. and close monitoring of the log |
| 19 |
files. Let's be honest, a machine that runs services has the potential to |
| 20 |
get cracked one way or another. A well configured machine has a |
| 21 |
disproportionately small probability of getting cracked, than your average |
| 22 |
WinXP IT illiterate user around the world. So, it's really a matter of how |
| 23 |
paranoid you would like to get about it. |
| 24 |
-- |
| 25 |
Regards, |
| 26 |
Mick |
Archives