Hello from Gregg C Levine This is all good advice, I'll probably need to dig up documentation on iptables, and go on from there.
And as it happens this is a relatively new system so I am the only user. But yes, people who do get permission to access my systems do need to choose non dictionary words as passwords, and all of you can guess what my root password is. ---- Gregg C Levine [EMAIL PROTECTED] --- "Remember the Force will be with you. Always." Obi-Wan Kenobi > -----Original Message----- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of > Istvan Nemeth > Sent: Thursday, July 21, 2005 1:50 AM > To: [email protected] > Subject: Re: [LINUX-390] Security questions and scads of NOUSER based SSH > attacks > > Linux on 390 Port <[email protected]> írta 2005.07.21 04:19:22 > idõpontban: > > > On one of my systems, I have > > 1. Turned off all password authentication > > 2. Written firewall rules to limit connexions to specific IP address > > ranges that have me covered. This reduces the number of attempts > > considerable. > > > > One of our systems was penetrated by a sloppy user-chosen password, Snce > > then, I have > > 1. Changed the firewall rules so that incoming SSH lands on my desktop > > and not the server. > > 2. Changed the rules so _I_ choose passwords. _I_ use a password > > generator which produces gems such as et3tUfGd (now defunct). There is > > still mail to protect. For usewr-chosen passwords I suggest two (or > > more) unrelated words such as cowblue. I figure those won't be in > > peoples' attack dictionary. > > > > My users needs to have linux account to use samba, mail etc., but no ssh > (or sftp) from outside. So I simply made firewall rules to let ssh in only > from specific hosts..., but I think it's not a good idea to force users to > use generated passwords (for eg. political reasons), and I also do not > recommend to use a desktop computer for incoming ssh connecitons, the > service will depend from a single PC. > > I think I would use PAM's features to force users to have heavy passwords. > > István > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX- > 390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
