I.T. Security and Linux Administration

Jan 31 2013   3:17PM GMT

How Have Security Practices Changed (2009-now)? Part 2

Eric Hansen Eric Hansen Profile: Eric Hansen

In continuing with my series (started here)…

Then: #6: User Accounts and Strong Password Policy

Now: Same

Do I agree? Definitely. However, the concept of “strong password policy” has changed a lot. I’ve touched on it before, but I’ll say it again, I do not believe in “randomized” passwords. You know, the passwords that looked like you just mashed a bunch of keys together.

I had a debate with a friend not too long ago on this. Especially with the crackers (i.e.: hashcat) that bruteforce against bytes instead of ASCII character sets, even throwing in UTF-8 or other characters outside of the 0-127 decimal range will get notified. The easiest method to this is enforcing spaces to be used, and use phrases.

Brute forcers check against random strings. While phrases are just that, they’re not typically going to have weird characters like @ or $. Dictionary attacks assume the pass phrase only has one dictionary word in it typically, and even if not it has to run through the entire dictionary n times for however many phrases are in the password.

Then: #7: Disable root Login

Now: Same

If you’re using root for anything you’re not sysadmining properly. There is a reason sudo was created, which means there’s no reason for you to log in as administrator.

Then: #8: Physical Server Security

Now: Debatable

Let me explain. Yes, physical server security extremely important. However, going as far as “all production boxes must be locked in IDCs (Internet Data Center) and all persons must pass some sort of security checks before accessing your server” is a little bit of a stretch. Call me silly but I don’t really know what an IDC is (same as a regular data center?), but to have all of your employees go through a security background check prior to working on the server should only be for the extreme cases (i.e.: medical record storage).

Then: #9: Disable Unwanted Services

Now: Irrelevant

This really seems to be redundant with #2 & #3, but at this stage you shouldn’t have to worry about unwanted services. Especially if you make your own images and/or repos.

Then: #10: Delete X Windows

Now: Irrelevant

Even though I have Back Track running on my home server, there’s really no reason to have Xorg running. Again this goes more in line with #2/#3/#9 but as I’m addressing each suggestion, making this a point to address.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: