On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said: > This is your helpful Friday reminder to always pay close attention to > the security settings of all of the web sites under your administration. > Otherwise, anonymous skript kiddiez could show up at any moment and > deface one or more of your web sites. (It happens a lot.)
Just this week, I have seen an (unconfirmed) report that there is an organized effort that's abusing SSH keys that lack passphrases - if they pwn a system and find one, they go surfing it as far as they can. And yes, I know that automated systems can't use passphrases.. so remember to check to see if you can use 'force-command=' in the known hosts file so that the key can only issue one command. (yes, this means that if the automation host has to do a dozen different things, it needs a dozen keypairs. Security is always tradeoffs.) 'ssh-keygen -H' also helps control things.
pgpyxj1nakDYo.pgp
Description: PGP signature
