Re: Friday Reminder: Web Site Security
+1 On Sat, May 16, 2020 at 4:44 AM Mike Hale wrote: > Big plus 1 to Bill's point. > > On Fri, May 15, 2020, 6:37 PM William Herrin wrote: > >> On Fri, May 15, 2020 at 4:25 PM Valdis Klētnieks >> wrote: >> > On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said: >> > > This is your helpful Friday reminder to always pay close attention to >> > > the security settings of all of the web sites under your >> administration. >> > > Otherwise, anonymous skript kiddiez could show up at any moment and >> > > deface one or more of your web sites. (It happens a lot.) >> > > https://ipv4.plus/ >> > >> > Just this week, I have seen an (unconfirmed) report that there is an >> organized >> > effort that's abusing SSH keys that lack passphrases - if they pwn a >> system and >> > find one, they go surfing it as far as they can. >> >> You may have missed the schadenfreude in Ronald's post. >> >> Give it a rest Ronald. You won. >> >> Regards, >> Bill Herrin >> >> -- >> William Herrin >> b...@herrin.us >> https://bill.herrin.us/ >> > -- Ing. Etienne-Victor Depasquale Assistant Lecturer Department of Communications & Computer Engineering Faculty of Information & Communication Technology University of Malta Web. https://www.um.edu.mt/profile/etiennedepasquale
Re: Friday Reminder: Web Site Security
On Fri, May 15, 2020 at 07:24:51PM -0400, Valdis Klētnieks wrote: > And yes, I know that automated systems can't use passphrases.. so remember to > check to see if you can use 'force-command=' in the known hosts file so that > the > key can only issue one command. (yes, this means that if the automation host > has > to do a dozen different things, it needs a dozen keypairs. Security is > always tradeoffs.) No need for trade-offs here; you can have a `command=` (it's not `force-command=`) wrapper script that validates the command that was sent (via `$SSH_ORIGINAL_COMMAND`) and does an `exec` if it's on the "approved" list. One key, many commands, any command you don't allow gets blocked. - Matt
Re: Friday Reminder: Web Site Security
Big plus 1 to Bill's point. On Fri, May 15, 2020, 6:37 PM William Herrin wrote: > On Fri, May 15, 2020 at 4:25 PM Valdis Klētnieks > wrote: > > On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said: > > > This is your helpful Friday reminder to always pay close attention to > > > the security settings of all of the web sites under your > administration. > > > Otherwise, anonymous skript kiddiez could show up at any moment and > > > deface one or more of your web sites. (It happens a lot.) > > > https://ipv4.plus/ > > > > Just this week, I have seen an (unconfirmed) report that there is an > organized > > effort that's abusing SSH keys that lack passphrases - if they pwn a > system and > > find one, they go surfing it as far as they can. > > You may have missed the schadenfreude in Ronald's post. > > Give it a rest Ronald. You won. > > Regards, > Bill Herrin > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/ >
Re: Friday Reminder: Web Site Security
On Fri, May 15, 2020 at 4:25 PM Valdis Klētnieks wrote: > On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said: > > This is your helpful Friday reminder to always pay close attention to > > the security settings of all of the web sites under your administration. > > Otherwise, anonymous skript kiddiez could show up at any moment and > > deface one or more of your web sites. (It happens a lot.) > > https://ipv4.plus/ > > Just this week, I have seen an (unconfirmed) report that there is an organized > effort that's abusing SSH keys that lack passphrases - if they pwn a system > and > find one, they go surfing it as far as they can. You may have missed the schadenfreude in Ronald's post. Give it a rest Ronald. You won. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
Re: Friday Reminder: Web Site Security
On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said: > This is your helpful Friday reminder to always pay close attention to > the security settings of all of the web sites under your administration. > Otherwise, anonymous skript kiddiez could show up at any moment and > deface one or more of your web sites. (It happens a lot.) Just this week, I have seen an (unconfirmed) report that there is an organized effort that's abusing SSH keys that lack passphrases - if they pwn a system and find one, they go surfing it as far as they can. And yes, I know that automated systems can't use passphrases.. so remember to check to see if you can use 'force-command=' in the known hosts file so that the key can only issue one command. (yes, this means that if the automation host has to do a dozen different things, it needs a dozen keypairs. Security is always tradeoffs.) 'ssh-keygen -H' also helps control things. pgpyxj1nakDYo.pgp Description: PGP signature
Friday Reminder: Web Site Security
This is your helpful Friday reminder to always pay close attention to the security settings of all of the web sites under your administration. Otherwise, anonymous skript kiddiez could show up at any moment and deface one or more of your web sites. (It happens a lot.) https://ipv4.plus/
