On Sun, 11 Dec 2011 16:53:02 +0200 Alex Efros <power...@powerman.name> wrote:
> Hi! > > On Sun, Dec 11, 2011 at 02:25:19PM +0000, Sven Vermeulen wrote: > > > 1) How can > > > 4.2.4.1. Root Logon Through SSH Is Not Allowed > > > increase security, if we're already using > > > 4.2.4.2. Public Key Authentication Only > > > Disabling root may have sense with password auth, but with > > > keys it is just useless inconvenience. > > > > I read somewhere that security is about making things more > > inconvenient for malicious people than for authorized ones. > > > > For me, immediately logging in as root is not done. I want to limit > > root access through the regular accounts on the system (with > > su(do)). I never had the need to log on as root immediately myself. > > Understood. But I still don't see how this can increase security. > > > hardening measures, glsa-check, cvechecker and the like to mitigate > > risks of > > Been there, done that, it doesn't work: in average, after 1-1.5 years > of security-only updates we end with next one security update which > depends on few other packages which in turn pull in 80% of other > @world updates. So we've to emerge world anyway every ~1.5 years, but > such delayed updates wasn't tested by anyone and usually gives a lot > of troubles resulting in server offline for several days. Daily world > updates are much ease to manage, even with needs to check these > updates on test servers first, before updating production servers. > (And daily updates usually easy to rollback and debug in case of > unexpected troubles.) Because of this I don't think Gentoo is capable > to act as LTS-release with security-only updates like some other > distributives. > Well, you don't wait years, just months between updates. I have glsa-check running daily on my systems and update when it tells me to. On top of that I update at least monthly, usually weekly (though I could probably go every six months and be fine). -- Matthew Thode (prometheanfire)
signature.asc
Description: PGP signature
