[sf-lug] how to whack crackers

[Asheesh Laroia]

On Mon, 5 Jan 2009, jim wrote:

>   i cannot figure out a good backup scheme. the one
> that copies absolutely everything from certain
> directories each night is inelegant.

I disagree; it's magically elegant. Back up the whole filesystem, and then 
you know that if you lose that filesystem tomorrow you have a copy of it 
for later. On this point I think Rick and I disagree, but to me, the 
confidence I get knowing I have the entire filesystem backed up means that 
I don't ever have to worry about my backups excluding a file I wanted, nor 
about spending time configuring the backups.  Disks are cheap, and Asheesh 
worrying is expensive.

I use dirvish for this; http://apt-get.dk/howto/backup/.

>   we recognize that the growing /var/log/auth.log file represents 
> doorknob tests, it's unnerving, possibly educational. and the big number 
> of iptables rules seems to have no effect: maybe we've learned that 
> lesson, too.

Okay, so it's for cleanliness, not security? Then use fail2ban to tidy 
that up.

>   there are only three humans that may log into the box,
> so password enforcement, for now, can be verbal abuse
> and stern reminders. i'll have to get pam's cracklib
> working.

It should be as easy as a call to apt.

>   we will have a web server running, and i'm sure i'll have lots of new 
> lessons to learn with that. got any httpd threat models? (all threat 
> model news is welcome.)

For http, well, that's another can of beans. (-:

-- Asheesh.

-- 
If you think the problem is bad now, just wait until we've solved it.
 		-- Arthur Kasspe