Re: what percent of time are there unpatched exploits against default config?

[Drew <drew.kay@xxxxxxxxx>]

It's been an interesting if somewhat heated discussion. Figures the
fun ones come up when I'm away. ;)

The discussion of using Certs(PKI) vs Passwords to secure SSH seem to
be missing an important piece of the puzzle, and that to my mind is
attack vectors & target value.

The argument I saw against PKI is that's it's no more secure then
regular passwords because your certificates are password protected
anyways and stored on external media so they can be stolen and used to
access the system.

Like the OP I run a web server (two in my case) and I have external
SSH access for certain reasons. I've got things like fail2ban
installed, various logwatch type software running to alert me to any
abnormal entries. I also have cert based access to my machine.

In my case, the primary attack vector for hackers getting at my
servers is via the web. Because I host primarily personal websites on
my servers, the hackers motivation for breaking into my server (aside
from 'it's there') is to turn the machine into a bot-net or host some
viagra phishing sites on it.

The concern, for me, is more about remote compromise then about
physical theft of my usb token. A russian hacker who want's another
compromised machine for his bot-net or phishing ring is probably not
going to go to the effort of physically flying over here from Europe
and spend the time needed to track me down, break into my office, and
steal my usb token. He's more likely to move onto another target one
of his script-kiddies found for him.



-- 
Drew

"Nothing in life is to be feared. It is only to be understood."
--Marie Curie
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos