[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: [ #670138]

From: Bernie Innocenti
Subject: Re: [Savannah-hackers-public] Re: [ #670138] Dom0 upgrade
Date: Tue, 22 Feb 2011 10:29:15 -0500

On Tue, 2011-02-22 at 10:18 +0100, Jim Meyering wrote:

> Why?
> Isn't IP restrictions + (fwknop-and-alt-ssh-port|fencepost-for-a-few)
> simple and effective enough?

I see openvpn as a safer, simpler and more structured solution than a
per-server fwknop, but my opinion doesn't count because I won't have to
use this myself (I connect through the FSF internal network).

Whatever the other Savannah hackers prefer is fine with me.

> > employ openvpn to access the FSF internal lan from remote clients. We
> > could setup a separate VPN for the Savannah machines.
> If I had to bet the house on immunity to exploit of a tool, I'd prefer
> ssh over openvpn, though not by much.  ssh is used/audited a lot more.

Of course I'm not proposing to *replace* ssh with openvpn.

> fwknop is tiny and doesn't add a whole new protocol and networking.
> One reason for IP restrictions is to limit vulnerability if a 0-day
> exploit appears.  How would using openvpn mitigate that?
> Actually, adding openvpn probably more than doubles what they
> call the attack surface.

How so? The ssh ports would be reachable only from within the VPN. For
extra safety, the OpenVPN server could run on a separate gateway

> > This is true only for plain desktops and trivial servers that don't
> > require any major change to the default configuration. Every time I did
> > something serious, eventually I was forced to either turn off SElinux or
> > start programming in obscure-language-for-custom-policy-definition.
> I think you've just agreed.
> The vast majority of users do nothing that requires them
> even to know about the existence of SELinux, much less its "policy".

Agreed, but I wish that such a sophisticated security system could also
be applied to high-profile servers such as or (with a reasonable amount of effort).

> [ You know, we've had this conversation before.  Have you
>   tried again in the last year or so (F13 or F14)?  If there's
>   a tool that gives you particular pain wrt SELinux, look again...
>   maybe someone else has already written policy for it by now.  ]

Yes, the policy keeps improving for old software, but software keeps
changing, therefore SElinux is never going to become painless. For
instance, on a Fedora 14 machine I have, SElinux prevents gdm from
loading the .face file for my account.

Bernie Innocenti
Systems Administrator, Free Software Foundation

reply via email to

[Prev in Thread] Current Thread [Next in Thread]