From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 615701384B4 for ; Tue, 10 Nov 2015 23:22:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D97D5E0886; Tue, 10 Nov 2015 23:22:43 +0000 (UTC) Received: from mail.web-xs.org (mail.web-xs.org [148.251.4.204]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C3174E087F for ; Tue, 10 Nov 2015 23:22:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.web-xs.org (Postfix) with ESMTP id 4BAB76EC2DDE for ; Wed, 11 Nov 2015 00:22:41 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail.web-xs.org Received: from mail.web-xs.org ([127.0.0.1]) by localhost (mail.web-xs.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccHwSUd+53Wb for ; Wed, 11 Nov 2015 00:22:39 +0100 (CET) Received: from server-1.localdomain (p54A71AF8.dip0.t-ipconnect.de [84.167.26.248]) (Authenticated sender: lukas@der-erste-sinn.de) by mail.web-xs.org (Postfix) with ESMTPA id A26F26EC2D8F for ; Wed, 11 Nov 2015 00:22:36 +0100 (CET) Received: from hal9000.localdomain (hal.localdomain [192.168.0.2]) by server-1.localdomain (Postfix) with ESMTP id D3D9226C for ; Tue, 10 Nov 2015 20:12:08 +0100 (CET) Date: Wed, 11 Nov 2015 00:22:22 +0100 From: To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] OpenSSH upgrade warning Message-ID: <20151111002222.13a1bf4d@hal9000.localdomain> In-Reply-To: <5642661A.4030407@gmail.com> References: <56414A8C.1080701@gentoo.org> <56420DB1.80302@gmail.com> <56421438.4080202@gentoo.org> <1702148.kV3uT6Ls87@andromeda> <56421AB8.1080003@gentoo.org> <20151110215257.032cf534@hal9000.localdomain> <56425AD5.9040400@gentoo.org> <20151110221149.47a15177@hal9000.localdomain> <56426066.6020908@gentoo.org> <5642661A.4030407@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 35d1fced-5826-45b2-8c0b-af8781719f77 X-Archives-Hash: cf4855426da6311f9148eb63563fae56 Dale wrote: > Michael Orlitzky wrote: > > On 11/10/2015 04:11 PM, wabenbau@gmail.com wrote: > >> You can disable password login for that user on the server. Then > >> he can only login via ssh key. Only with the knowledge of the root > >> password it is not possible to gain root access to the server. An > >> attacker also needs the ssh key. And with a camera, keylogger, or > >> measuring radiation he can not fetch that key. > >> > > This is pretty close to what I originally asked for, thank you. > > If you disable all password logins to the server AND disable remote > > root logins altogether, then you can stop someone from gaining root > > by peeking over your shoulder as you type. > > > > Unless they bash you over the head and swipe your laptop. But still, > > I'll take it. > > > > > > > > Now I'm curious. Just how often does all this stuff take place? I > figure when hackers attack, they go straight for root access anyway. > If that access is disabled then they will never get in, no matter how > long they try. From what little I know, even if they have the root > password they still can't get in unless they also have the other user > account to login with first. A server is called is called a server because it has has something to serve. ;-) If these services (web, ftp, mail, file or whatever else) are accessible through a public network (Internet, Intranet, WLAN) then attackers are are looking for vulnerabilities in these services. Often they use exploit-kits like blackhole for that. If they find a vulnerability, they trying to exploit it. If the attackers are successful or not, depends also on how good the server is hardened, that means how good it is protected against such vulnerable services. There are different mechanisms for such protections. For example simple chroot()jails or, much more complex, access control systems like apparmor and selinux for isolating services, and SSP and PAX for protection against stack- and bufferoverflow based exploits. -- Regards wabe