In message [EMAIL PROTECTED], chefren writes:
Hello Igor,
Hello Chefren.
You missed the crux of quite a few important points that Nick tried to
explain to you.
Indeed, I have carefully read his post. He certainly explains some
important points related with sshd. He is certainly right.
On Fri, Nov 24, 2006 at 07:06:17AM +0100, Bill Maas wrote:
Hi,
how about this one:
PermitRootLogin 192.168.1
Should any of the SSH maintainers be reading this: possible new SSH
feature?
I believe you can actually do this with the Match directive, although
I'd need to spend more time
On 2006/11/23 17:07, Igor Sobrado wrote:
...
to set up a firewall with an ever-growing list of hostile machines.
...
I think you misunderstand me. I mean to restrict direct SSH access
to only those networks which need access, not to block attackers when
you see them. Authorized users would
[2006-11-24 11:26] Woodchuck [EMAIL PROTECTED] wrote:
You know, I seem to recall that many versions ago (maybe even as far
back as 2.xx) root login on ssh *was* disallowed by default.
I recall being bitten by it, too, on remote (other-side-of-the-room)
installations on headless machines.
just
Hi Dave,
On Fri, Nov 24, 2006 at 01:50:52AM -0500, Woodchuck wrote:
| At worst you have a small window during installation in which root
| logins are allowed, before you shut them off by chroot'ing as Paul
| outlined in his post.
I'm not sure I understand, what window is this ? Before (and
On Fri, 24 Nov 2006, Paul de Weerd wrote:
Hi Dave,
On Fri, Nov 24, 2006 at 01:50:52AM -0500, Woodchuck wrote:
| At worst you have a small window during installation in which root
| logins are allowed, before you shut them off by chroot'ing as Paul
| outlined in his post.
I'm not sure I
Hi again!
I have a question on the default behaviour of OpenSSH. Please, do not
understand that I am complaining on it or trying to change its behaviour
in relation with remote root logins allowed by default on OpenSSH (but
I certainly believe it would be nice, that is the reason I write this
2006/11/23, Igor Sobrado [EMAIL PROTECTED]:
Hi again!
I have a question on the default behaviour of OpenSSH.
Someone that really wants to allow remote root logins should be able to
enable this feature just changing /etc/ssh/sshd_config. But, in my
humble opinion, most users do not
In message [EMAIL PROTECTED], Anton Karpov writes:
I'm neither OpenBSD nor an OpenSSH developer, but I think, the main idea of
enabling root by default in OpenBSD is... protection from weak passwords!
Just look at this. When you're installing OpenBSD, systems asks for a root
password. You're
On Thu, 23 Nov 2006 12:24:38 +0100, Igor Sobrado wrote:
I guess that remote root logins are allowed by default to simplify
management of small network appliances that do not have user accounts
on them.
I have no clue on why root logins are actually disabled, but I can tell
you one thing: if
On Thu, Nov 23, 2006 at 08:52:22PM +0800, Uwe Dippel wrote:
| On Thu, 23 Nov 2006 12:24:38 +0100, Igor Sobrado wrote:
|
| I guess that remote root logins are allowed by default to simplify
| management of small network appliances that do not have user accounts
| on them.
|
| I have no clue on
Hi again.
Out of this thread, Mr. Tongson pointed me to an interesting post
from march 2005:
http://archives.neohapsis.com/archives/openbsd/2005-03/2808.html
From this post, it is difficult understanding why disabling remote
root logins is not a good idea; but after reading the entire thread
On 2006/11/23 15:14, Igor Sobrado wrote:
2. There are a lot of brute force attacks from countries like
Korea these days. These attacks will be less effective if
the intruders get access to an unprivileged account (even if
it is in the wheel group).
On a typical system, these
On Thu, Nov 23, 2006 at 12:24:38PM +0100, Igor Sobrado wrote:
First of all, I understand that remote root logins can be easily
avoided by setting PermitRootLogin to no in /etc/ssh/sshd_config.
Yes. This is a very simple thing to do.
I guess that remote root logins are allowed by default to
In message [EMAIL PROTECTED], Stuart Henderson writes:
On 2006/11/23 15:14, Igor Sobrado wrote:
2. There are a lot of brute force attacks from countries like
Korea these days. These attacks will be less effective if
the intruders get access to an unprivileged account (even if
In message [EMAIL PROTECTED], Darrin Chandler writes:
On Thu, Nov 23, 2006 at 12:24:38PM +0100, Igor Sobrado wrote:
First of all, I understand that remote root logins can be easily
avoided by setting PermitRootLogin to no in /etc/ssh/sshd_config.
Yes. This is a very simple thing to do.
Igor Sobrado wrote:
Hi again.
Out of this thread, Mr. Tongson pointed me to an interesting post
from march 2005:
http://archives.neohapsis.com/archives/openbsd/2005-03/2808.html
i.e., DROP IT. IT WILL NOT CHANGE. The guy in charge has spoken.
From this post, it is difficult
In message [EMAIL PROTECTED], Nick Holland writes:
Igor Sobrado wrote:
Hi again.
Out of this thread, Mr. Tongson pointed me to an interesting post
from march 2005:
http://archives.neohapsis.com/archives/openbsd/2005-03/2808.html
i.e., DROP IT. IT WILL NOT CHANGE. The guy in
Igor Sobrado wrote:
In message [EMAIL PROTECTED], Stuart Henderson writes:
On 2006/11/23 15:14, Igor Sobrado wrote:
2. There are a lot of brute force attacks from countries like
Korea these days. These attacks will be less effective if
the intruders get access to an
On 11/23/06 6:35 PM, Igor Sobrado wrote:
Participate on flamewars is usually not my
style and I have certainly more productive ways to waste my time
and patience.
Probably not with computer security...
Nick is right from start to finish and you can learn a lot of his
friendly text.
In message [EMAIL PROTECTED], chefren writes:
On 11/23/06 6:35 PM, Igor Sobrado wrote:
Participate on flamewars is usually not my
style and I have certainly more productive ways to waste my time
and patience.
Probably not with computer security...
Do you stand treat?
You evidently
In message [EMAIL PROTECTED], Steve Williams writes:
I block brute force attacks using PF. They get a small set of attempts
before they are blocked. Very trivial.
pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \
keep state (max-src-conn-rate 5/40, overload scanners)
In message [EMAIL PROTECTED], Stuart Henderson writes:
On 2006/11/23 17:07, Igor Sobrado wrote:
...
to set up a firewall with an ever-growing list of hostile machines.
...
I think you misunderstand me. I mean to restrict direct SSH access
to only those networks which need access, not to
On Thu, Nov 23, 2006 at 05:07:52PM +0100, Igor Sobrado wrote:
[U]sing certificates is an excellent choice too. I suppose
that OpenBSD currently supports using certificates stored in
removable media. A bit hard to configure, but highly secure.
Indeed.
I find it hard to think of a situation
On Thu, Nov 23, 2006 at 10:28:20PM +0100, Igor Sobrado wrote:
In message [EMAIL PROTECTED], Steve Williams writes:
I block brute force attacks using PF. They get a small set of attempts
before they are blocked. Very trivial.
pass in on $ext_if proto tcp to $ext_if port ssh flags
Hi,
how about this one:
PermitRootLogin 192.168.1
Should any of the SSH maintainers be reading this: possible new SSH
feature?
Bill
On Thu, 2006-11-23 at 12:24 +0100, Igor Sobrado wrote:
Hi again!
I have a question on the default behaviour of OpenSSH. Please, do not
understand that I
Bill Maas wrote:
how about this one:
PermitRootLogin 192.168.1
Should any of the SSH maintainers be reading this: possible new SSH
feature?
AllowUsers
# Han
On Thu, 23 Nov 2006, Darrin Chandler wrote:
No. It would be simple enough to disable everything, but that wouldn't
be functional. OpenBSD has an excellent track record for security, yet
many useful things are enabled by default. Do you *really* believe that
nobody has thought about turning
On Fri, 24 Nov 2006, Joachim Schipper wrote:
While I'm inclined to agree with the last part, setting up a botnet
isn't *that* hard.
Particularly in the domain .kr, which Igor sees intermittent attack
from. Korea has the perfect ecosystem for such a botnet -- very
large numbers of pretty fast
29 matches
Mail list logo
