From: user@example.net   
      
   Aragorn wrote:   
   > J.O. Aho wrote:   
      
   >> IMHO it feels better if someone "hack" a domU with only read only access   
   >> to files, than getting access to dom0, and if something would get messy   
   >> then just restart the domU instead of a reboot of the whole system.   
   > My intended set-up is to have /dom0/ do the routing, network address   
   > translation and firewalling, and to direct port 22 to an unprivileged   
   > virtual machine.  Remote access to /dom0/ would then still be possible, but   
   > via a detour through the unprivileged machine.   
   > In addition, I intend to set up all virtual machines - including /dom0/ - to   
   > disallow direct root logins, so that one first has to log in via an   
   > unprivileged user account and then use /su/ or possibly /sudo/ to perform   
   > root tasks.   
      
   Yes, I have always run ssh with root login disabled, I have even set users who   
   don't need to be able to use ssh to be disabled too. Another thing I made when   
   I got all to many script kiddies trying to force in, was to move the ssh away   
   fro port 22, it don't make the system more secure, but you get rid those   
   script kiddies who tries to force login in as john and a million other common   
   US-English names. Also at the third attempt from the same ip, the ip is   
   blocked for a hour for additional attempts.   
      
   Sure sudo is "great", but I don't feel it as secure as su, as you continue to   
   use the user password, while using su you need to know the root password   
   before you can do anything.   
      
      
      
   >>>> This would be more or less, everything I have today in one box, still   
   >>>> quite normal off the shelf hardware, but still a bit over 1000 Euro, but   
   >>>> still cheaper than those Indian 5000 Euro cars.   
   >>> You mean that backpack on wheels from Tata Motors? :p  Wasn't that 2500   
   >>> Euro, by the way? ;-)   
   >> Yes, that one. It may have dropped in price, but still the hardware   
   >> solution I have looked at is cheaper than the car. :)   
   > Well, I haven't exactly looked at the specs for that car yet, but I presume   
   > that it won't be winning any "Grand Prix of the Red Lights" anyway, and   
   > unless you're a smurf, that thing doesn't look very spacious either. ;-)   
      
   No, it won't win any prices, specially not traffic safe prices, I think it's   
   more in the class with original coopers, if you crashed with it you could be   
   95% sure you would die.   
      
   > Hmm...  Now why am I thinking back of those old three-wheeler bubblecars   
   > from when I was a little boy? :p   
      
   :) just remember those from movies and telly programs shot "some" years   
   earlier than my first year, but it was still without safety belts in the back   
   and only 2 point safety belts in the front on most cars.   
      
   --   
      
      //Aho   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)