Email or username:

Password:

Forgot your password?
All posts Aral's posts Post Back to profile
Top-level
Stefan Midjich ꙮ҄

@aral how is it theatre? For example when I have to expose ssh to the internet I usually use port 2022 because at least that's one more layer of security, in case someone gets user access to the system and are able to crash the ssh service they can't start their own service that harvests passwords because it was on a privileged port.

19 Aug 2022 at 10:08 | Wall-to-wall | Open on mastodon.se
7 comments
Aral Balkan

@stemid Please see the linked page (and the articles linked to that) :)

19 Aug 2022 at 10:09 | Reply | Open on mastodon.ar.al
paillp

@aral @stemid I mean, there's just plenty of solutions. From what I read in your article you have found one through modifying a kernel parameter. Which means that the mechanism is implemented. It's just not enabled by default.

I see lots of workarounds to your problem and Linux in itself doesn't prevent one from achieving the behavior you're looking for.

19 Aug 2022 at 11:26 | Reply | Open on microblog.lunai.re
Aral Balkan

@paillp @stemid Yes and those workarounds complicate workflows and create usability issues.

19 Aug 2022 at 14:06 | Reply | Open on mastodon.ar.al
Stefan Midjich ꙮ҄

@aral ok I read the post but all I can say is that I deploy services of all sorts of languages and frameworks for a living and I never have to give them any higher privileges. Because in production there is always a proxy in front of the service, and in dev they can use nonstandard ports.

So I still see no reason to allow services to use privileged ports in my view. But we all have different perspectives.

19 Aug 2022 at 11:39 | Reply | Open on mastodon.se
Aral Balkan

@stemid This is my use case: ar.al/2020/08/07/what-is-the-s

We need to set up your own Facebook on your own server in under a minute with no technical knowledge required on your part. And democratise development while we’re at it as much as possible. So no front controller/proxy, etc., setups. Think lightweight server with in-process database.

But, beyond use cases, again, it provides no real security unless you’re administering a System/360.

19 Aug 2022 at 14:06 | Reply | Open on mastodon.ar.al
hkc (Carbonated)

@stemid "oh no, someone already got access to our system and starts collecting its data, I'm sure it's not too late to stop everything!"

19 Aug 2022 at 11:36 | Reply | Open on mastodon.astrr.ru
Stefan Midjich ꙮ҄

@hatkidchan it's absolutely not too late. System access does not mean access to sensitive data. That is precisely why Linux has things like multiple users accounts, file permissions, promiscuous mode networking, and of course more advanced MAC systems like selinux. So no the battle is absolutely not lost just because someone has access to a system.

19 Aug 2022 at 11:41 | Reply | Open on mastodon.se
Go Up