Hi,

Couldn't you just block LISH from accessing you box? As I understand it, it uses /dev/hvc0 to map the connection to console. So, simply remove the getty/agetty line from your /etc/inittab and force a re-read.

You'd still be seeing the boot process, but you won't get a login prompt.

--deckert

I can secure SSH by shutting down the service too. This also has the side effect of making the service useless.

Although I do appreciate this information for people who choose to lock the service out completely, I hope you understand that it isn't a legitimately comparable solution to SSH keys and IP restrictions.

Er .. not SSH to the box. That you keep fully under your control. I'm talking about just blocking LISH access.

--deckert

In addition to viewing the console log you can also reboot, shut down, boot any config profile (if you have a profile for Finnix that's lots of fun), etc.


Also, I'm pretty sure most of us want to keep the actual Lish console working, just lock access down a bit more.

That was for the purpose of comparison. lish is one of the reasons I chose linode. I like to be able to get access to servers FAST when things go wrong. Having to open a support ticket and wait is not on the agenda when you've got uptime agreements to keep.

Also, not be contrary, but when I ask for security and somebody responds "turn it off", I almost immediately stop listening. Securing a service by deactivating the useful parts of the service isn't resolving the problem, it's removing a problem.

lish access control is only as secure as the web manager, because from the web manager you can upload new lish keys. and presumable in the hypothetical situation that lish does have access controls, it would be managed through the web manager.

The web manager is a big proprietary black box, we have no idea how secure it is. You could restrict your web account login to certain IPs but it is apparent now your web account isn't the only web account with access to your linodes.

but I'm guessing from a security point of view you're no better off some place else. maybe a provider who uses openstack might remove one of the unknowns.

It isn't apparent to me. AFAIK he recent hack required the users to use the CS portal to get the account name, whereupon they had to do work to compromise the manager in order to get naughty with the nodes.

If there's some new information on exactly how the hack was perpetrated then I'd like to hear it, but last time I checked there was no indication that the CS portal allowed for direct node access.

1. linode hasn't public said what you just said.
2. I never said the cs portal allowed direct node access. The cs portal has a list of your "linodes" that you can manage, your cs account isn't the only account that can manage your "linodes" on the cs portal.

Linode said exactly what he said in public:

http://status.linode.com/2012/03/manage ... ident.html

that doesn't anything of the sort. you have a very vivid imagination.

My imagination isn't required here.

Good work for bumping a 6 month old post..

_________________
ServerAdmin - www.our-lan.com
"Diplomacy is the art of saying nice doggy whilst looking for a really big stick"
"In my experiece, any attempt to make any system idiot proof will only challenge God to make a better idiot"

Are... Are you chastising yourself? I'm confused.

Another post is now gone.