More secure than Windows
But it’s only as secure or unsecure as you make it.
If your SSH login is sent clear text, you’re just asking to be pwned
Good thing SSH doesn’t send it unencrypted then, huh.
Yeah, well most of the time
ive seen it, the facepalm is real
Show me an example of a situation where it’s sent plain.
From: https://man.openbsd.org/ssh
Finally, if other authentication methods fail, ssh prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network.
Corporate installs a script without realizing that it’s using a third party method to login through SSH, third party not configured properly, but it works so it must be secure.
If you want good examples, go work in InfoSec for a year or two, you’ll see it kek (although rare)
Note I said SSH login, that doesn’t have to pertain to SSH directly or it’s protocols
1 Like
Ah, that’s the problem. Never blindly trust and always check your configuration. Also, don’t install 3rd party extensions to PAM. It’s fine without them. If you want to log in, use an RSA key.
InfoSec is a field that exists because businesses are incapable of thinking with security in mind, have a breach and think well, shit, let’s hire a consultant to fix our problems. Just because you don’t have infosec in your title doesn’t mean you’re not security conscious. I know I’m secure because all my urls have https at the front /s
1 Like
Preaching to the choir lol, I’ve worked in infosec for the last few years on and off (in college right now) and companies that aren’t security conscious are my bread and butter. Not that I encourage it.
Of course, you just see a lot more violations while working in the field. 
Fair. I’m just a bit frustrated with a situation at work. I just had to spend 30 minutes to explain why switching SSH to a random port does nothing but annoy people. On top of that, they’re using some firewall config on their centos box (not firewalld) that’s making my iptables changes not take. (I’m not talking about reboots, but immediate changes.)
I hate developers touching production boxes. Give me documentation on the software and I’ll deploy it. I’m the sysadmin, you’re the developers. Don’t do my job I won’t do yours.
aaand /rant.
1 Like
Hey, people hold on to their convictions pretty hard.
??? Do they have a good reason, like multiple points of entry or are they just being dinguses.
Never worked as a SysAdmin but I know from just working with them that this happens all to often. Sometimes the argument is that the devs know it’s hard to deploy for X reasons, and the SysAdmin just wants them to work together, showing him the ropes and all.
I’ve noticed when I’m working that people seem to pit me in the middle of these things, so why doesn’t my paygrade go up? /s… kinda
Can’t say for sure. I just gave them the rules I needed changed on my box and it was done.
That’s the situation I’m in, kinda. Been here about 2 years now. I’m trying to work with them on the whole separation of process thing and the individual developers appreciate it, but the suit in charge of the developers wants their hands in everything.
Welcome to my world. I’ve got a folder on my personal PC with copies of the email threads for all things that are “additional roles and tasks” that I’ve been assigned. I usually max my bonus and get a 3-4% raise per year. My advice is to go into your yearly review armed to the teeth with all the extra stuff you did and every time you saved someone’s ass. Tell them:
this is all the extra stuff I’ve done. I’ll keep doing extra stuff because you keep giving me more money. I understand that we’re a business and we need to get shit done and as you can see, I’ve done so all year, but I need to know that I’m appreciated and respected. I like money as a token of that appreciation and respect.
thats provided you have time
MMmmm sounds a bit strange, I thought… well what do i know lol
That’s just bad management really, those that over reach usually are fairly disconnected from the reality of the situation and doesn’t understand/respect the position of a SysAdmin.
I’ve never thought of that, but that would be something to implement in the future. I guess a little more cash to fix other people’s crap that was assigned to you is a pretty defensible position.
Thanks for the link. Never knew this.
1 Like
OP I forgot to mention, If you want a secure Linux install, here are guidelines the DoD uses to lock it down.
Is Linux that secure? What is your definition of “that secure”? Do you mean more secure than Windows? Then well yeah properly updated & secured Linux is probably harder to get into compared to a properly updated & secured Windows install. But no OS is impenetrable, only some are harder than others to crack. If someone wants to compromise your box, and has enough time and knowledge, they will eventually get to what they want. It’s only a question of how long and what kind of knowledge is required to get the job done.
this made me laugh.
although etc/passwd is mostly just for show, with the real one thats used being the shadow one, but I digress, it was a clever idea.
I thought the point of a script that would check /etc/passwd is that it would come up with a username, an ‘x’ marker for an encrypted password, user id, group id as well as the type of home directory and shell being used?
I guess the answer to this topic is anything can be as secure as you want it to be given enough time, money and patience. I say patience as there comes a point where security practices can overcome convenience and usability.
As soon as the market share increases for linux you will see more attacks that have a linux flavour. The issue that needs to then be overcome is the potential for a proportion of the linux userbase to be me tech savvy than the proportions in macOS and Windows. Back in the annals of time, there were less exploits discovered and manipulated on Macs, this would likely have increased when it became a more competitive platform with Windows/Linux, that’s why people claimed (albeit misguidedly) that ‘Macs couldn’t get viruses’. It wasn’t the technical impossibility, but the fact that it was not a target at the time.
These days you don’t see those claims being made as often, but I’ve had the odd smug friend try to claim that linux was impervious to such threats. Unfortunately, it is those types of people that need security more than the average suspicious and vigilant computer user.
Let’s put it this way. It should be under my control. My tech put it in a rack, but the developers ran amok with it and I kinda wrote it off as a total loss.
1 Like
Ah ok, it’s sounds like a lack of communication lol
It’s a combination of a lack of communication and a lack of respect. I’m mid 20s working for a company where the average age is probably 38. I’m in a mid-level position and I’ve only been here for a couple years. A lot of them have that “don’t tell me what to do kid” look whenever they’re talking to me and it annoys the hell out of me. That makes me not actively seek out communication with these people.
Not saying what I’m doing is justified though.