Well oddly enough today I had a server hacked. There was a priviledge escalation flaw in the only exposed daemon (probably a 0 day of somesort I've reported it to the devs).
Someone managed to get root, remove the cert, set a password and login via ssh and then set the box up as a spam relay of all things. I think from now on, I'm going to see if there is a way to just completely remove the root user. (Box is fully patched and auto-updates and applies patches daily). I would like to setup a central auth server (probably LDAP) that auths me as an individual to these servers. Then remove root completely. Is that even possible? I guess in reality it would be no different than just renaming root to a different name, but frankly cleaning up the damage from this script kiddy is annoying me. Having an auth server be authoritative for a box, and then have permissions and groups set by the box seems like a decent solution, but then I ask myself, what happens when the authbox gets cracked? On Thu, Feb 6, 2014 at 9:23 AM, Michael Torrie <[email protected]> wrote: > On 02/06/2014 04:02 AM, Dan Egli wrote: > > Interesting, and I could certainly see that in a /root/.sshd/config file, > > but in the master file? That indicates that unless you have the > > certificate, NO ONE can login via SSH. That seems overkill to me. > > Well, if you're a site like github, hosting git repos over ssh, it's > probably a very wise prudent thing to do. Requiring all your users to > access via key is the only safe thing to do, really. Of course in my > situation, and github's, there is a method for securely installing keys. > In my case I can get in via a secure web-based terminal that Linode > provides and add my key. In github's case you use their web interface to > load the key. > > > Perhaps > > that works good in your situation, but I certainly can't see a situation > > where I'd want to do that. In root's config, sure. That makes a LOT of > > sense. But not for every user on the system. I suppose you could override > > the global behavior by an individual user's .sshd/config file, but that > > still seems like overkill to me. > > You can easily do what you say with the global file. That's what the > "PermitRootLogin without-password" option is for. > > > Perhaps you can explain why you block > > logins except via ssh key or certificate to all users? I'd be curious to > > understand the reasoning behind this approach. > > Frankly it's the only way to secure an ssh server from brute-force > attacks. Actually it stops brute force attacks at the door, since the > don't offer any keys upon connecting, so they get disconnected before > they can even offer a password to try. > > Plus ssh keys are just way more secure than passwords, that we all know > are not well-chosen by end users. And they aren't that hard to use. > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
