[sf-lug] how to whack crackers
asheesh at asheesh.org
Mon Jan 5 17:27:03 PST 2009
On Mon, 5 Jan 2009, jim wrote:
> i cannot figure out a good backup scheme. the one
> that copies absolutely everything from certain
> directories each night is inelegant.
I disagree; it's magically elegant. Back up the whole filesystem, and then
you know that if you lose that filesystem tomorrow you have a copy of it
for later. On this point I think Rick and I disagree, but to me, the
confidence I get knowing I have the entire filesystem backed up means that
I don't ever have to worry about my backups excluding a file I wanted, nor
about spending time configuring the backups. Disks are cheap, and Asheesh
worrying is expensive.
I use dirvish for this; http://apt-get.dk/howto/backup/.
> we recognize that the growing /var/log/auth.log file represents
> doorknob tests, it's unnerving, possibly educational. and the big number
> of iptables rules seems to have no effect: maybe we've learned that
> lesson, too.
Okay, so it's for cleanliness, not security? Then use fail2ban to tidy
> there are only three humans that may log into the box,
> so password enforcement, for now, can be verbal abuse
> and stern reminders. i'll have to get pam's cracklib
It should be as easy as a call to apt.
> we will have a web server running, and i'm sure i'll have lots of new
> lessons to learn with that. got any httpd threat models? (all threat
> model news is welcome.)
For http, well, that's another can of beans. (-:
If you think the problem is bad now, just wait until we've solved it.
-- Arthur Kasspe
More information about the sf-lug