9 Aug
2022
9 Aug
'22
6:39 p.m.
Thanks for your insights and thoughts. I would be in denial, except
that I can't ignore that my system was rebooted by an actor other than
me. Yes, I should be reviewing the logs more. I'm not sure about SSH
certificate access as there seems to be a very active attack directly
against these in the last few months. And, many of the systems I was
using to SSH into my box aren't as physically secure and if they were
hacked, it would give access to my set up.
SElinux, I"ll have to look into it more. As you mentioned, I have been
turning it off.
And, I was wrong, now that I am recovering things, I can see I was
running Fedora 19, not 13. Memory can be a bit fickle :)
My passwords are at least 14 characters ( I just counted on my fingers)
and fairly complex. But I'm still grappling with the fact that I have a
low bandwidth connection and a brute force attack should be prohibitivly
slow. I can see a lot of attemps, thousands for sure, but it should
take a lot more than that.
I've been using SSH to make a VNC tunnel so I can access this desktop
from anywhere. Which has lots of advantages, especially when accessing
sites that have 2 factor authentication.
I've been refusing to make my phone into a security device. It's a toy
or perhaps a tool for business. So, my contact number has been a land
line via voice for the 2nd factor.
I'm going to have to review everything and come up with a new solution.
Maybe I'll get two phones or something. But the whole shoving ads and
"news" at me and forced upgrades and harvesting of personal information
really turn me off about phones. Friends complain that I never have my
phone on me. I am somewhat surprised that they think I should be
instantly available almost 24/7. Well, I prefer to control my time as
opposed to letting the Borg/phone do it.
I'm delusional, I know, I still think I'm someboday and I'm not quite
willing to join the Borg of nobodies :)
-Gary
gn Tue, Aug 09, 2022 at 09:29:37AM -0700, Charles Polisher wrote:
On 8/8/22 09:39, saclug(a)garymcglinn.com wrote:
My experience with the upgrade treadmill is that
it is a waste of time.
By its own admission (if a concept can have that) the new versions will
have issues and you need to upgrade. If the issues with an older
version don't affect you, then it is perfectly fine to use it. Why
upgrade and risk the fact that the new issues will affect your use case.
This is a
perfectly valid viewpoint. A friend in the computer security
industry, a senior developer, agrees with you 100%. Like all things
security, this stance has plusses and minuses, but it's sensible.
If that's your choice, there's a premium on defending your system's
attack surface, and maintaining due diligence. Since you've chosen
Fedora, SELinux should be enabled (I know, there are a million
recommendations to turn it off, all wrong) and a solid set of firewall
rules should be in place. Certificate-only SSH might have prevented
your last attacker from compromising the host, or a 14-character
passphrase, or diligent log review. For example (fedora):
# ausearch -ts week-ago --success no --interpret
or maybe
# last -x
I recognize that most security recommendations present hurdles,
SELinux configuration and firewall rules are no exception. I'm
working on a suite of tools to help with that, but they're not
ready for release.
Fedora seems to be at one end of a spectrum, with
perhaps Slackware on the other end, where the above strategy
seems a little weak. Fedora seems to push out changes quickly and
with great tumult, not infrequently requiring patches to their
patches. In contrast, Slackware releases after exhaustive testing
and review, and doesn't seem to chase - or incorporate- moving
targets. I'm not recommending one over the other, just trying to
compare and contrast.
The developers for Fedora 13 were no smarter or
dumber than the
developers who are writing Fedora 36. Or pick your distro of choice.
I disagree.
The previous generation of developers (Alan Cox was
an exemplar) were more careful, thoughtful, and expert in their
craft. Kids these days... Eventually they'll get better, maybe
better than the Old Guard. But for now, there are a plethora of
semi-skilled Kool Kids in the fray. Perhaps my view is jaundiced
because I'm doing front-end (web) development this month.
The issue with an older release is that nifty new
things come out and
you can't really use them. But, if you run a VM with a recent version
of the distro, you can use them just fine.
The other issues is that if you are getting vendor support, they can
only reasonably commit to supporting a limited number of versions.
Again, some distributions are like mayflies, some are like elephants.
Fedora is perhaps an unconventional choice for longevity.
--
Chuck Polisher
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com