[PLUG] CVS server security
Ian Neath
neath@psych.purdue.edu
Mon, 12 Feb 2001 10:56:40 -0500 (EST)
I've set up a cvs server and I have a general question about how secure
the following setup is (I've never done remote CVS before). I've gone
through cvshome.org and cvsbook.red-bean.com.
The server runs Debian (fresh install of potato, with all updates), and
the client machines will use OpenSSH (CVS_RCS=ssh).
/etc/inetd has the following entry:
cvspserver stream tcp nowait.400 root /usr/sbin/tcpd
/usr/bin/cvs -b /usr/bin --allow-root=/foo/cvsroot pserver
I have hosts.deny set to ALL: ALL
I have hosts.access set to sshd: ALL and cvs: ALL
I'm not running any other services (e.g., no httpd, no portmap, no nfs,
no ftp). Nmap shows only ports 22 (ssh) and 2401 (cvspserver) open.
In CVSROOT/config I have SystemAuth=no
In CVSROOT/ I have a passwd file that contains only 3 users and their
crypted passwords. I do not have an "anonymous" user listed.
Is this a reasonably secure setup or have I missed something? (For
example, I'm not concerned about physical security or firewalls at this
point.)
--
Ian Neath, neath@psych.purdue.edu