On Tue, 19 Sep 2006, Erik Norgaard wrote:

Along with some good advice. First of all: ssh is not a public service like http or smtp where you need anyone to be able to connect. So don't let them in the first place.

It is in this case. It's a web server that allows shell usage (and encourages it, as I actually advocate the power that comes with a shell as opposed to the primitive (and less secure) interface you may get with crap utilities like cpanel, or FTP (where you're at the mercy of the featureset of your particular app).

Disable direct root login, in the article more than a third attempted to login as root. Disable shell access for service accounts such as mysql, www or ldap.

Already being done. At this point I should mention that root has a login option whereby it can be done ONLY with publickey auth.

Use a scheme for choosing usernames that avoids common names like "james" and avoid publishing usernames on web-sites, e-mail may differ from the username.

This is somewhat unaviodable -- as I allow users to choose them.

Disable password based authentication and require ssh-keys if possible, best if you can ensure both pasword and key based authentication.

This also assumes that people password their keys, otherwise it actually *lessens* the security of a thing greatly. Most folks don't. I do wish there was some standard for forcing applications to not save passwords (other than OTP).

You may still find sshd login denied entries in your log - so what? it was denied! This is really only a problem if the traffics saturates your connection, or your log files grow so much that you run out of diskspace.

It was denied, yes...but when it's denied for 200 different users from the same IP, it only takes one user with a weak password (and as much as I like keys, I personally prefer the passwords). I also find that since I have a nice web-enabled SSH app (as part of usermin), the key becomes sorta useless in that case.

The article also comments on moving ssh to a different port, but this causes confusion and annoyance if you have many users and is non-standard. Doing the other things works great, an ssh-key on a usb-keyring is great.

For anyone savvy, yes.  I don't assume that level of savvy.

Personally, I created a script for parsing the delegated files from the different regional registries such as only to allow connection from EU countries.

Sounds interesting, is it public?

Since then, I get at most one attempt a week, few enough to manually look up the ip with whois and decide if the host or network should be blocked.

Cheers, Erik


<Wrin> quick, somebody tell me the moon phase please?
<Dan_Wood> Wrin: Plummeting.

-Undernet #reboot, 9/11/01 (day of the WTC bombing)

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to