On Tue, Feb 3, 2015 at 11:48 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >> I think the intent is: "Don't use a password likely to be included in >> the list that an attacker would try". Of course if services would >> rate-limit the failures > > Which sysadmins do for ages when they configure their machines. And I > don't think any system will ever come from system vendor fully prepared to > serve anything necessary, and tightened to best requirements (which depend > on box designation anyway).Really? Are vendors not capable of shipping something with good default settings? It seems like getting a new car and having to install a different engine yourself because the factory couldn't figure out how to do it.> So, system vendors can do better, but there > always will be need for you to do your sysadmin's part.If that were really true, then you also wouldn't be able to follow anyone else's advice about how to do it. That is, if your system really needs to be so different that it couldn't have been shipped with the configuration you need, then a book couldn't tell you that either.> Sounds almost like > job security. As one of my friends says: all systems suck, and thanks to > that got our jobs ;-)But wouldn't you rather be doing something new/different instead of just fixing things that should have been done right in the first place? -- Les Mikesell lesmikesell at gmail.com
On Tue, February 3, 2015 12:08 pm, Les Mikesell wrote:> On Tue, Feb 3, 2015 at 11:48 AM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: >> >>> I think the intent is: "Don't use a password likely to be included in >>> the list that an attacker would try". Of course if services would >>> rate-limit the failures >> >> Which sysadmins do for ages when they configure their machines. And I >> don't think any system will ever come from system vendor fully prepared >> to >> serve anything necessary, and tightened to best requirements (which >> depend >> on box designation anyway). > > Really? Are vendors not capable of shipping something with good > default settings? It seems like getting a new car and having to > install a different engine yourself because the factory couldn't > figure out how to do it. > >> So, system vendors can do better, but there >> always will be need for you to do your sysadmin's part. > > If that were really true, then you also wouldn't be able to follow > anyone else's advice about how to do it. That is, if your system > really needs to be so different that it couldn't have been shipped > with the configuration you need, then a book couldn't tell you that > either. > >> Sounds almost like >> job security. As one of my friends says: all systems suck, and thanks to >> that got our jobs ;-) > > But wouldn't you rather be doing something new/different instead of > just fixing things that should have been done right in the first > place? >Sounds so I almost have to feel shame for securing my boxes no matter what job vendor did ;-) Just a simple example: I have at least 3 classes of boxes configured ultimately different and having very different level of security/fortification. Do you seriously suggest that system vendor will ship all three level of security configurations? Do you seriously think that needing quite high level of security for some box I will not go over all settings influencing it myself? Will you not? We are not Windows admins, we rely on what we configure or check ourselves. And we do take security seriously, so, we do go over everything whether the system vendor does or does not claim they have done that part already (and and claim they did it better than I can do it). If you prefer to delegate what you are responsible for (security of your box) totally to someone else (even as good guys as system vendor is), then I don't know what to tell you. Yet, I'm sure, majority Unix sysadmins will still do what I do: go over everything themselves. No matter what someone says. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > Sounds so I almost have to feel shame for securing my boxes no matter what > job vendor did ;-)Yes, computers and the way people access them are pretty much a commodity now. If you are spending time building something exotic for a common purpose, isn't that a waste?> Just a simple example: I have at least 3 classes of boxes configured > ultimately different and having very different level of > security/fortification. Do you seriously suggest that system vendor will > ship all three level of security configurations?Yes, 3 seems about right.> Do you seriously think > that needing quite high level of security for some box I will not go over > all settings influencing it myself? Will you not?Of course, but only because the vendor does not do it. I think Red Hat's engineers are capable of it if they wanted to.> We are not Windows > admins, we rely on what we configure or check ourselves.Not sure what you mean by that. Windows is much worse since the configurations tend to be hidden and the ways to do things interactively and scripted are wildly different.> Yet, I'm sure, majority Unix sysadmins will still do what I do: go over > everything themselves. No matter what someone says.There are probably still people that take their cars apart to check that they were assembled correctly too. But that doesn't mean that things should not be shipped with usable defaults. -- Les Mikesell lesmikesell at gmail.com