Re: SSH scans...
From: Steve Kemp (steve_at_steve.org.uk)
Date: 12/20/04
- Previous message: Ben Nelson: "Re: SSH scans..."
- In reply to: Raymond Lillard: "Re: SSH scans..."
- Next in thread: KEM Hosting: "RE: SSH scans..."
- Reply: KEM Hosting: "RE: SSH scans..."
- Reply: Michael H. Warfield: "Re: SSH scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 20 Dec 2004 22:13:58 +0000 To: Raymond Lillard <rlillard@sonic.net>
On Mon, Dec 20, 2004 at 10:45:55AM -0800, Raymond Lillard wrote:
> This should fail for at least these reasons:
>
> 1. "ssh" should be configured to prohibit root logins
Sometimes not an option. It's useful to backup machines
with rsync, or push updates out as root. Having a different
named account but still with UID isn't gaining much.
> 2. All machines should be configured to prohibit
> direct root logins except on the physical console
That seems a bit excessive. I usually setup controls by
IP address in /etc/hosts.allow, and /etc/hosts.deny. Then
limit incoming SSH connections via something like:
AllowUsers skx mp3 foo bar ...
That way even if there is a user called 'test' with
password 'test' (Extremely unlikely!) they cannot login.
>
> 3. Proper attention to passwords
Agreed. Backup with `john the ripper` if you don't think that
your users are following whatever password policy you have in
place.
Steve
-- # Debian System Administration www.debian-administration.org/
- Previous message: Ben Nelson: "Re: SSH scans..."
- In reply to: Raymond Lillard: "Re: SSH scans..."
- Next in thread: KEM Hosting: "RE: SSH scans..."
- Reply: KEM Hosting: "RE: SSH scans..."
- Reply: Michael H. Warfield: "Re: SSH scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
