On Sat, 31 Jan 2004 08:12:24 -0500, Blaine Simpson
<blaine.simpson@???> wrote:
>Try doing a web search engine for "ssh exploit" or "ssh advisory" or go
>to any security advisory site like cvs.mitre.org.
Well, thanks. So you are not aware of any current problems with
openssh. Thanks for talking about this.
Can you spell FUD?
>If you apply security patches regularly and lock down with tcp wrappers or
>some other form of ip filtering, it's excellent. Otherwise it's not. Both
>ssh and http can be secure or insecure. The differentiation is that a
>break in to sshd is generally a much more serious thing than a break in to
>a web site.
ssh needs to be installed anyway. But there are, however, many mail
servers that do not have, and do not need, a web server.
>First off, the purpose of sshd is to use some authentication mechanism to
>give a login, including a root login. (Configuring sshd to prevent this
>is safer,
... and the default on all machines I install.
[Tomcat advertisement snipped]
>You may notice that the normal procedure at nearly every large IT company
>is as follows: The main firewalls from the Internet permit all incoming
>traffic on http and https ports.
There is no excuse for stupid firewall rules.
>On the
>other hand, ssh is usually prohibited from everywhere except specific IP
>addresses and/or VPN.
That's a typical suit stance. "If we don't use it, it must be
dangerous".
And no, I would never leave an exim admin interface open to the
general public over any access way - ssh or http.
ssh can be closed down with a packet filter or tcp wrappers since you
know from where your admins ssh in. If you have a public and a
non-public http service on the same machine, you'll need to rely on
the web swerver to separate the privileges.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
