On Tue, Jun 19, 2001 at 12:17:07PM +0800, Ben Harvey wrote: > cracker==root sysadmin==root+LIDS_password > if someone can sniff me typing in my lids password (encrypted in the kernel) > then I am stuffed. they can always read the password hash out of the kernel and run a brute force attack on it too. > In short Lids can be a pain to set up, but would also be a pain to crack, > especially if the cracker doesn't know exactly which rules I have set up. > a good cracker could do it. and thats the point. my philosophy on things like lids is this: for a expert cracker (rare) they will probably be able to undo it and get around it, all it will do is make my life as an admin MISERABLE. ill just spend all my time fixing little breakage lids causes, thats how maintaining NT is i don't want that for *nix. for a moron attacker (99.999% of attackers) they will probably be stopped by my vigilent administration of the system, they won't get in unless they find a zero day exploit for some program im running. and for a high security borderline machine like my firewall i can disable module loading and access to /dev/mem which i know can be easily removed by deleting the initscript that runs lcap and rebooting, but a reboot i WILL notice and WILL audit. most attackers will become quickly annoyed by a well run system and just move on to the next vulnerable redhat box that has never seen a security update in its life. > btw I notice that they are still working on fork bomb protection. that would > be nice :) ulimit -u 20 thats all it takes. BTW your Mail-Followup-To header is broken. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpc5lVZ7yty5.pgp
Description: PGP signature