[mythtv-users] Security concerns for my myth box
bam at snoopy.apana.org.au
Thu Dec 16 05:33:22 UTC 2004
>>>>> "Craig" == Craig Partin <cpartin at gmail.com> writes:
Craig> Is SSH the only software people trust to listen for network
Craig> connections? What's wrong with apache and SSL? And does
Craig> myth (backend or frontend) listen for anything? Are there
Craig> dangers in just having one machine running myth also
Craig> running network services?
Actually, there have been known security bugs (that have since been
fixed in recent versions) in ssh that allow an attacker to gain root
access without needing a valid login.
I haven't heard of similar security problems with Apache, and Apache
doesn't normally run as root either.
Not only that, but recently the number of random attacks on ssh has
increased dramatically. This makes administrators rather nervous. Do
not setup obvious accounts with obvious passwords (such as a guest
account with a password of guest), they will be found. Once an
attacker has a login shell they can proceed to search for other
security weaknesses that might give root access.
So it could be argued that running Apache only might be safer then
running ssh only.
Brian May <bam at snoopy.apana.org.au>
More information about the mythtv-users