savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org


From: Sylvain Beucler
Subject: Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade
Date: Sun, 20 Feb 2011 12:13:31 +0100
User-agent: Mutt/1.5.20 (2009-06-14)

Hi,

On Wed, Feb 16, 2011 at 04:19:23PM -0500, Bernardo Innocenti via RT wrote:
> > SSH is visible but Debian 5 is still supported for at least a year, so
> > no impact on security.
> 
> SSH is also not accessible from the public internet on most of our
> Dom0s... Colonialone seems to be the only exception.
> 
> For improved security, we could limit access to the IPs of people how
> need to have access? Regardless of which version of Debian we use, this
> would protect us from 0-day exploits and compromised keys.

That would be quite inconvenient.
This is also an extremely risky way to consider security, because
AFAICS it makes you think running a 1000-days-old kernel (with at
least 2 root privilege escalation kernel exploits around) is safe.


> > > Whenever you choose to go ahead, I could assist you any day from 10am to 
> > > 4pm.
> > 
> > Does that include going at the colo?
> 
> As long as we don't make the machine unbootable, we should be able to
> recover it remotely from the serial console.

And it's actually the 'make the machine unbootable' case that I want
to cover :)

That, and your expertise on possible coreboot-related Xen issues.
Let us know when you have tested recent Xen some more :)

-- 
Sylvain



reply via email to

[Prev in Thread] Current Thread [Next in Thread]