From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RZkmv-0007ip-QA for garchives@archives.gentoo.org; Sun, 11 Dec 2011 14:54:02 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3B21521C06B; Sun, 11 Dec 2011 14:53:52 +0000 (UTC) Received: from powerman.name (powerman.name [85.90.198.1]) by pigeon.gentoo.org (Postfix) with ESMTP id D41AE21C03D for ; Sun, 11 Dec 2011 14:53:03 +0000 (UTC) Received: (qmail 22765 invoked by uid 1000); 11 Dec 2011 14:53:02 -0000 Date: Sun, 11 Dec 2011 16:53:02 +0200 From: Alex Efros To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] New Server, considering hardened, need pointers to tfm... Message-ID: <20111211145302.GE1990@home.power> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <4EE3BE6B.6050507@libertytrek.org> <20111210145204.39ec9cba@khorne.mthode.org> <20111211101851.GA1810@gentoo.org> <20111211122043.GD1990@home.power> <20111211142519.GA12313@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20111211142519.GA12313@gentoo.org> Organization: http://powerman.name/ User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: e6a2295e-f227-4c71-8826-bc658df7b9fb X-Archives-Hash: 51963c3a5b218d27edc3c9ff35897118 Hi! On Sun, Dec 11, 2011 at 02:25:19PM +0000, Sven Vermeulen wrote: > > 1) How can > > 4.2.4.1. Root Logon Through SSH Is Not Allowed > > increase security, if we're already using > > 4.2.4.2. Public Key Authentication Only > > Disabling root may have sense with password auth, but with keys it is > > just useless inconvenience. > > I read somewhere that security is about making things more inconvenient for > malicious people than for authorized ones. > > For me, immediately logging in as root is not done. I want to limit root > access through the regular accounts on the system (with su(do)). I never had > the need to log on as root immediately myself. Understood. But I still don't see how this can increase security. > hardening measures, glsa-check, cvechecker and the like to mitigate risks of Been there, done that, it doesn't work: in average, after 1-1.5 years of security-only updates we end with next one security update which depends on few other packages which in turn pull in 80% of other @world updates. So we've to emerge world anyway every ~1.5 years, but such delayed updates wasn't tested by anyone and usually gives a lot of troubles resulting in server offline for several days. Daily world updates are much ease to manage, even with needs to check these updates on test servers first, before updating production servers. (And daily updates usually easy to rollback and debug in case of unexpected troubles.) Because of this I don't think Gentoo is capable to act as LTS-release with security-only updates like some other distributives. -- WBR, Alex.