On Tue, 19 Sep 2006, Erik Norgaard wrote:
Along with some good advice. First of all: ssh is not a public service like
http or smtp where you need anyone to be able to connect. So don't let them
in the first place.
It is in this case. It's a web server that allows shell usage (and
encourages it, as I actually advocate the power that comes with a shell as
opposed to the primitive (and less secure) interface you may get with crap
utilities like cpanel, or FTP (where you're at the mercy of the featureset
of your particular app).
Disable direct root login, in the article more than a third attempted to
login as root. Disable shell access for service accounts such as mysql, www
or ldap.
Already being done. At this point I should mention that root has a login
option whereby it can be done ONLY with publickey auth.
Use a scheme for choosing usernames that avoids common names like "james" and
avoid publishing usernames on web-sites, e-mail may differ from the username.
This is somewhat unaviodable -- as I allow users to choose them.
Disable password based authentication and require ssh-keys if possible, best
if you can ensure both pasword and key based authentication.
This also assumes that people password their keys, otherwise it actually
*lessens* the security of a thing greatly. Most folks don't. I do wish
there was some standard for forcing applications to not save passwords
(other than OTP).
You may still find sshd login denied entries in your log - so what? it was
denied! This is really only a problem if the traffics saturates your
connection, or your log files grow so much that you run out of diskspace.
It was denied, yes...but when it's denied for 200 different users from the
same IP, it only takes one user with a weak password (and as much as I
like keys, I personally prefer the passwords). I also find that since I
have a nice web-enabled SSH app (as part of usermin), the key becomes
sorta useless in that case.
The article also comments on moving ssh to a different port, but this causes
confusion and annoyance if you have many users and is non-standard. Doing the
other things works great, an ssh-key on a usb-keyring is great.
For anyone savvy, yes. I don't assume that level of savvy.
Personally, I created a script for parsing the delegated files from the
different regional registries such as only to allow connection from EU
countries.
Sounds interesting, is it public?
Since then, I get at most one attempt a week, few enough to manually look up
the ip with whois and decide if the host or network should be blocked.
Cheers, Erik
--
<Wrin> quick, somebody tell me the moon phase please?
<Dan_Wood> Wrin: Plummeting.
-Undernet #reboot, 9/11/01 (day of the WTC bombing)
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
