 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On 08/03/2010 12:25 AM, David Kramer wrote: > Matthew Gillen wrote: >> More and more, I believe hiding behind ssh tunnels is the only way to stay >> sane. Precisely because David is probably a much better sys-admin than me >> (daily snapshots!), and problems like he described are so hard to predict: >> unless you know to look for it, why would you set up cron jobs to watch for >> disappearing .htaccess files?. > > Well, I actually did some academic research into this area when I was > working at Aptima, but more importantly, as an Agile Software Engineer I > am into continuous improvement. Every new thing I learn I can check > for, every time I find an avenue of attack, I adapt to it. > > I have a watchdog script that I wrote that runs on another server and > every 20 minutes it would ping my server to see if it was up. And then > there was a DNS problem and it couldn't handle that, so I added a check > for the domain name lookup first. Then my database died, so I added a > check to make sure when I go to http://www/thekramers.net I see the > content I expect to see. You get the idea. > > I also run a script I wrote from root's cron called checkhealth.sh. It > started out very simple (hard drive space, % idle, etc), now it does all > sorts of things, like making sure my TV capture card's device exists and > has the right permissions, because that was a problem for a while. And > it makes sure my IR transceiver device exists. And it makes sure that > there aren't zero-byte video files recorded by MythTV. And it makes > sure the database is running. Because I learned from each error. Right, but my point is that solutions like that are almost by definition reactive: you don't add something to your script until you get burned by it once (except maybe for some obviously foreseeable things). For most configuration issues, yours is probably the best approach. But for security-related configuration, the trial-and-error is disruptive and potentially costly (if you have two weeks of backups, and the attack goes unnoticed for 15 days...). I find it's much easier to secure one service (ssh) to a reasonable level, and ignore 'security' for most everything else. I don't bother changing my mythtv apache config from it's defaults because I don't need to secure it on my home lan (at least until my kids learn to navigate web menus). I can tunnel in using my android phone if I need to... > > All of this has come from learning from experience and adapting to > handle each challenge I learn about. And you can do that just as well > as I can. Sure, and to some extent I have done a lot of the things you talk about. It just takes time and getting burned, and time is something I'm running short on these days... Matt
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
