Re: idea for improving security

To: debian-security@lists.debian.org
Subject: Re: idea for improving security
From: xavier renaut <list.debian-security@natch.dyndns.org>
Date: Thu, 29 May 2003 15:32:17 -0400
Message-id: <20030529193217.GN4866@natch.8d.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <20030507.160642.-3648405.7.han_solo55@juno.com>
References: <20030507.160642.-3648405.7.han_solo55@juno.com>

|On Wed, 7 May 2003 08:53:40 +0200 Michael Bergbauer
|<michael@noname.franken.de> writes:
|If you 
|> think SSH (or any other component) is not trustworthy, just look for 
|> alternatives (or create them yourself).
|
|what would be a more secure alternative to ssh?
|

what about ssh over vpn (vtun, openvpn, ipsec...) ?

at that point, you introduce complexity, another layer,
possible flaws of the vpn software....

of course you would add a firewall on the vpn device,
so that you can only connect from your admin box to the ssh port.

(both services can be run on non-standard ports)

(and of course it's more an admin solution than a end user solution)


On the other subject of the thread,
about http://cmn.listprojects.darklab.org/,


To prevent DoS, for the sending syns to some predefined ports, you could have
a payload with your gpg signature (and encryption). only the authenticated
packets would be taken into account for opening the port.
(i don't have such a system, it's just a imaginary setup,
i have no clues on how to analyze the payload.)

(and one has to remember that obsfuscation is not a remplacement
for security. ie you can add it to your secure setup. don't say
ever : 'oh, nobody will find out'.)

bye

-- 
xavier renaut

Reply to:

References:
- Re: idea for improving security
  - From: Robert B Wilson <han_solo55@juno.com>

Prev by Date: Re: Advice Needed On Recent Rootings
Next by Date: Re: ip allmulti oddity (was: promiscuous mode)
Previous by thread: Re: idea for improving security
Next by thread: Re: idea for improving security
Index(es):
- Date
- Thread