Bill Campbell (c...@celestial.com)

I would go with Opensolaris.  There has been quite a bit of
messaging on the freebsd lists on zfs that give me the impression
that zfs on freebsd is not really ready for prime time.

Bill

I don't do business with government agencies, it just encourages
them to continue their legal plunder (and often it takes forever
to get paid -- unless one offers an early payment discount that
they are required by law to use).

>(I have run into both of these. :-) )
>
>example three - A TSA attendant "accidentally" drops your
>laptop.. in front of a forklift... (Merry Christmas!)

That might well get me to cancel my trip.

>All your ideas are good ones to which I would add using port knocking
>(not perfect at all but adds an additional small barrier)

I am aware of port knocking, but doing that certainly requires
stuff on the client computer that wouldn't be available at the
average Internet cafe or kiosk device.

>The best technique I have used is to put up an https web page
>that requires the person desiring entry to be presented with a
>challenge<->response dialog that is generated from a specific one-time
>use pad of CR key pairs. That way, each session requires a unique
>response to enable it. This is awkward but help keep the unwanted
>visitors out. This would be a variation on your SSL webmin
>suggestion.

I saw something recently on one of the many mailing lists about a
USB device that generates one-time-passwords at very reasonable
cost.  These can be plugged into anything with a USB port that
would recognize a USB keyboard.

>Unfortunately, the worst case scenario ( a compromised machine
>that does key logging) which you pointed out, will always be a
>potential problem..
>
>So when on the road, perhaps we should restrict doing
>online banking to just the cell phone.. :-) hmm.......

My bank is set up to make one jump through several hoops when
logging in from an IP that it has not seen a login to the
account, and may even distinguish browsers as I think I have had
to do something special when using Safari on my desktop instead
of my normal Firefox.  My bank is a small regional bank where the
people at the branch know me, and even recognize my voice on the
phone so it's pretty easy for me to do things by phone.  I *HATE*
dealing with megabanks where customer service is an oxymoron.

...
Bill

I always have my laptop with me, and have systems here configured to (a)
accept only authorized_keys, (b) allow access from any IP, and (c) use
fail2ban to limit the number of log entries from failed attempts to access
the systems.  All logins to our customer sites are then initiated from
inside our network once I have established the initial connection from the
remote location so those connections can be much more restrictive if
necessary.

One possibility would be to have a machine configured to allow password
access from the world which one could log into, then execute ssh-agent, and
ssh-add (with a strong pass phrase) on that machine to get access to other
systems on your network.

If there is some reason that an ssh cannot be established, usually it's
possible to connect with OpenVPN, which works nicely behind NAT firewalls
and does not require kernel hacking on CentOS as things like PPTP do.

You make the job much more difficult when asking that you be able to get in
from any old machine you might find in public space.  Other than the fact
that the owners of these machines generally don't allow people to install
software on them, I would be very reluctant to do anything on them that
involved secure logins as who knows what key capture or other spyware is
running on them.

One may be able to access you systems using webmin or its usermin module
over an SSL connection, and webmin has a terminal interface allowing one to
get a connection to systems.  If I remember correctly, this does require
Java(tm) on the connecting machine, and that webmin be configured to permit
use of the terminal module.

I much prefer restrict webmin and usermin access though as I have seen far
too many systems cracked through it because it only has username, password
authentication, and too many times, user's passwords are easily cracked.
Once somebody is logged into usermin, for instance, they may have access to
tools such as the chfn (change finger information) command which at one
time on SuSE systems allowed them to change their uid to ``0'' and gain
root access to the system.

In summary, I would be extremely reluctant to allow access from public
machines where there is no assurance how much malware is running on top of
the Microsoft virus, Windows.  It's very easy to revoke authorized_keys or
OpenVPN access for a lost or stolen laptop.  Allowing password access by
any means opens up a large can of worms.

...
Bill

As a rule, we require external developers to access our servers
using OpenVPN which provides a simple means of getting secure
access without having to deal with multiple server components.

The OpenVPN clients for Windows and OS X are simple to set up,
well within the capabilities of the average web developer (which
often aren't extensive :-).

Bill

If the permissions on /bin/ping were incorrect, it may mean that
your system has been cracked.  You probably should check by
running ``rpm -V iputils'' which will show changes in any files
in the package.

Crackers frequently hack system utilities to hide their presence
on the system, particularly things like /bin/ps, /bin/login,
/bin/netstat (pretty much anything in the /bin, /usr/bin, /sbin,
and /usr/sbin directories).  For a quick list of rpm packages
that might be affected you can do:

rpm -qf /bin/* /sbin/* | sort -u > /tmp/critpackages

Then a quick check for changed files.  This doesn't show the
package names, but that's easy to find with ``rpm -qf fname''.

rpm -V `cat /tmp/critpackages`

Bill

You might check with Silicon Mechanics as they build a lot of
Supermicro boxes with 3Ware cards.  I have a couple of 2U boxes
here that I'm preparing to deliver to a customer which have them.

http://www.siliconmechanics.com/

You may be able to find Supermicro parts on eBay as well.  I have
a 2U server here that I got on eBay which is working nicely.

Bill

I've spent almost 20 years avoiding sendmail :-).

Bill

We started using tcp with nfs about five years ago, largely to
cure a problem where a system running SuSE 9.0 Pro with multiple
IP addresses on the NIC was responding to NFS UDP packets from
one of the aliased IP addresses, not the primary.  This caused
NFS mounts by OS X clients to fail as they expected to get the
UDP packets back from the same IP to which they sent.  Using tcp
naturally fixed this, and I never got around to figuring out why
the replies were coming from the aliases IP address.

We use NFS mounted home Maildir directories on a system with
about 10,000 e-mail accounts, and a cluster of 4 machines handling
incoming e-mail, with most of the postfix configuration files NFS
mounted as well.  These handle about 100,000 incoming messages a
day without problems (a fair number of which are dropped without
delivery after checking with spamassassin).  There are about
182,000 IMAP/POP3 daily logins to check mail.  Load averages are
fairly low on all the systems, and the incoming mail queues
rarely get over five messages with most of the delivery time
being spamassassin checking using a central bayesian database.

The central server that has all the home directories generally
runs with a load average around 0.50 (a 4-year old SLES 9.2
system with a single Intel(R) Pentium(R) 4 CPU 3.00GHz, 2GB RAM
with 7,200 RPM Seagate Barracuda SATA drives, hardly a high
performance machine compared to what we're building today.

Bill

Or some other server where they are willing to whitelist that
address.  We do this for several of our customers who are on
networks that have delivery problems of one kind or another,
usually on a port other that 25 to get around outgoing blocks or
automatic redirection to a broadband provider's server.

Bill

Your IP address, 70.62.90.185, is listed on zen.spamhaus.org, and
you can probably go to their web site to see why it's listed.

I have see quite a few cases where spam is sent from webmail
accounts (mostly squirrelmail) by crackers who get access via
weak passwords found by imap/pop probes as you described.

It's been my experience in the 15 years we have been doing
support for regional ISPs that well over 50% of their user's
passwords are easily cracked, and that getting the users to use
good passwords is difficult to say the least.

Bill

By the time you know the user has been compromised, it's too late.

We normally don't allow password authentication with ssh,
requiring authorized_keys.  In the cases where we have to allow
password authentication, we severely restrict ssh acces using the
/etc/hosts.allow file.

Bill