Security Incidents mailing list archives
Re: SSH scans...
From: Steve Kemp <steve () steve org uk>
Date: Mon, 20 Dec 2004 22:13:58 +0000
On Mon, Dec 20, 2004 at 10:45:55AM -0800, Raymond Lillard wrote:
This should fail for at least these reasons: 1. "ssh" should be configured to prohibit root logins
Sometimes not an option. It's useful to backup machines with rsync, or push updates out as root. Having a different named account but still with UID isn't gaining much.
2. All machines should be configured to prohibit direct root logins except on the physical console
That seems a bit excessive. I usually setup controls by IP address in /etc/hosts.allow, and /etc/hosts.deny. Then limit incoming SSH connections via something like: AllowUsers skx mp3 foo bar ... That way even if there is a user called 'test' with password 'test' (Extremely unlikely!) they cannot login.
3. Proper attention to passwords
Agreed. Backup with `john the ripper` if you don't think that your users are following whatever password policy you have in place. Steve -- # Debian System Administration www.debian-administration.org/
Current thread:
- Re: SSH scans..., (continued)
- Re: SSH scans... Dejan Markovic (Dec 20)
- Re: SSH scans... Barrie Dempster (Dec 20)
- Re: [incidents] SSH scans... Tim Kennedy (Dec 20)
- Message not available
- Re: [incidents] SSH scans... Tim Kennedy (Dec 20)
- Message not available
- Re: SSH scans... Keith Morgan (Dec 20)
- Re: SSH scans... Gerry Dalton (Dec 20)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... skippy1 (Dec 21)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... Raymond Lillard (Dec 20)
- Re: SSH scans... Ben Nelson (Dec 20)
- Re: SSH scans... Steve Kemp (Dec 20)
- RE: SSH scans... KEM Hosting (Dec 21)
- Re: SSH scans... Michael H. Warfield (Dec 21)
- Re: SSH scans... nixsec (Dec 22)
- Re: SSH scans... Dejan Markovic (Dec 22)
- re: SSH scans... brian () ethernet org (Dec 21)
- re: SSH scans... Kerry Thompson (Dec 22)