[vox-tech] cvs security

Ricardo Anguiano vox-tech@lists.lugod.org
10 Dec 2001 12:06:55 -0800


Peter Jay Salzman <p@dirac.org> writes:

> i've been thinking about cvs security alot lately.

Security is defined by policy.  The mechanism tries to enforce the
policy.  Chant this mantra until you achieve security.

> wouldn't pserver be *fairly* secure using tcpwrappers?  i want one or
> two people accessing my server.  if i dump their IP's in
> /etc/hosts.allow, wouldn't that be secure enough?

Sounds like the mechanism here is tcpwrappers.

> i don't want to run fort knox here.  i know from my own personal
> experience that a determined hacker can get into anything he/she wants
> to.  but i do want to make my server a PITA to break in to.

This sounds like a security policy to me.

> would a tcpwrapped pserver be fairly secure?

Sounds like you are just looking to raise the effort bar on this one
port.  As long as the port is really tcpwrapped you raise the bar.
Address based authentication is weak, but it appears as though you are
concerned with keeping your effort/effect ratio low.

Monitor your server.  Keep good backups away from the machine.  Wash
behind your ears.

-Ricardo