|
How secure are your servers? Check this out...
We have installed a new verification system on our gateway server (the sole point of entry on our network).
Check this out: Each person who needs access is given a pager-like device. This device displays a 6-digit random sequence that changes EVERY 10 SECONDS. When you login to the server, through SSH or SCP, you are prompted for your name as usual. Then instead of password, you get: PASSCODE: which is a 4 digit PIN you choose + the 6 digits you see on the pager-thing. Then it asks you to wait until the numbers change (so max 10 seconds) and enter that sequence. If all is good, yo get in. If not, you're stuck outside. This is awesome to me, as even if someone broke your code and the sequence (which is already next-to-impossible), they would then only have 10 seconds to get the next sequence. How secure are you ?? :Graucho |
what are you hiding? :glugglug
|
Yes, but does that secure you from a pissed off employee? or someone he doesnt enter that way?
|
Quote:
|
That prevents people from entering by guessing common passwords or otherwise discovering a password since the passes would change every 10 seconds. However, most servers are broken into through imporperly configured system daemons or taking advantage of holes in software or the OS itself. Which doesnt have anything to do with knowing or entering the password, so for those kind of breakins that system you implemented doesnt do anything to protect your servers.
|
Quote:
Only myself, our SysAdmin and our CTO have access (and a pager-thingy). Aside from that....how else do you expect them to be able to enter by ?? |
Quote:
It's called a secureID smart guy :thumbsup |
Its called a SecureID. I've been using one for 8 years now. Course, mine is an 8 char alpha passcode + 6 digit rotating PIN that changes every 60 seconds.
VERY handy...course, you all should be using ssh anyway, or scp at the least. ssh+secureID is teh shit. |
Quote:
Second, none of our servers have external IP addresses, so they cannot be reached. He would have to exploit our BigIP F5s, which is quite difficult to do. |
my bank uses this for online banking - very cool system until you loose the fucking device and have to wait a month to get a new one.
|
Thats pretty fucken solid.
|
Quote:
However yes, you are right. It's still a nice system though :thumbsup |
Quote:
|
Quote:
|
how much is this thing costing u?
|
Quote:
|
Quote:
If there's no physical security there's no security. If I wanted to 'hack' into a server all I would need is a screwdriver and a key to the building. Just keep that in mind. |
securid is old school
i even rap about it in some old songs my dad used to have to use it to log on to lockheeds ip network |
Over kill
Hackers = holes, exploits, and poor configurations. |
Quote:
As for FreeBSD .. I wouldn't count on your OS choice for protection. Especially because FreeBSD and Linux run mostly the same software. For example, if you're using Apache then apache is apache .. it doesn't matter what operating system you're using. It mostly comes down to two things.. 1) how the machine was configured and 2) are there any exploitable bugs in the code for any of the software that you're running. The only exception to the above is OpenBSD. It has a reputation for security because every single piece of software in the default install is audited to try and weed out exploitable bugs .. and the guys behind it know their shit when it comes to security so the default install is automatically configured to be lock-tight. However, if you install 3rd party software then that paradigm goes down the drain. |
Quote:
|
Quote:
|
Quote:
|
Quote:
|
Quote:
lol |
Quote:
We got our man Jeff to fit in there though.....we only feed him once a week :1orglaugh |
yes there are indeed ways around that.
and its not new. that is basically the same method AOL has been using for thier Internal employees and everyone else on their lan for many years now. there are a number of other businesses using PIN based logins that are calculated on pager like devices. |
Quote:
|
who cares? if i beat the 4digit code out of you and steal your pager, im in
but why does burgerking really need all that security anyways? |
Quote:
Let's say you've got 5 web servers behind one load balancer... and they're all running the same version of apache, configured the same way (that's a safe assumption in most cases) and I happen to know of an exploit that just might work on that version of apache. I run my exploit, it goes through your load balancer, to one of the 5 webservers, exploits the bug and bam I have a shell running as the httpd user (or whatever user apache is running as) on that webserver. Sure I've only cracked one of the 5 servers .. but who cares ? Now I poke around and see that the dumbass sysadmin that installed this box left an exploitable version of sendmail running even though it's not being used (it happens quite often) .. I exploit it and I have root. Now I own your webserver. Sure if I log out I lose the exploited one .. but I can still grab sensitive information while I'm there .. and I can always re-run the exploit later on and get another server. The load balancer is not an issue here at all.. it passes everything through port 80 to one of the 5 servers .. it doesn't care what's being passed through. Unless I'm missing something. |
Quote:
|
Yep, this key thing is good if your a newbie and wanna get root access to a box. Trust me...no real Ha0ker will ever use the normal port 22 to get in.
The real deal is a tcp wrapper who only allows your own ip in or only allows physical onsite access to the server. Close all fucking useless ports. Thats way more secure than any other rotating beeper crap.... my 2 cents |
basically no network is bulletproof from breakins. if there is a will there IS a way.
SID;s are bullshit. not really a big help as there are many ways around it. its kind of like when MS or someone released the new keyboards with fingerprint identification, within the day at the same convention someone showed a very easy way to exploit it.... dust, tape, and a clean drinking glass. :) |
pagers listen to a radio signal and so can anyone else
|
Quote:
The only system I still work with is our NetApps. Maybe I should stop replying now since you guys know more about the security/exploits stuff than I :1orglaugh |
Quote:
|
Quote:
|
Quote:
|
its called a keyfob
|
Quote:
|
i'm secure in who i am.
:winkwink: |
Quote:
You'll get mad honeys that way hehe |
I got to wonder, how often do the "pager like device" and the system you are protecting have to be "synced" so that they are using the same numbers?
|
Quote:
Note that you can set it up such that if you fat finger the pass code a certain number of times, it gets locked. Ours is set to 3... |
I figured it would have batteries or something
thus a need for a resync |
Quote:
its just lazy admins not doing there job right. even if you have a managed server, sometimes they dont know what they are doing. |
| All times are GMT -7. The time now is 05:13 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123