| 1 |
On Tuesday 27 July 2004 12:30 pm, Greg Watson wrote: |
| 2 |
> If you're not already doing so, I recommend to disable password |
| 3 |
> interactive login and enforce key only logins. This will prevent some |
| 4 |
> of the ssh exploits, brute-force attacks, and general script kiddies. |
| 5 |
|
| 6 |
I saw these attempts a couple days ago, and increased the security levels on |
| 7 |
some of our machines. |
| 8 |
|
| 9 |
Our policy, when possible, is to implement IPTables rules. Create a trusted |
| 10 |
network within a small subset of your network. Lock down SSH from these |
| 11 |
IP's, any specific admin's IP's to specific destination IP's on the hosts. |
| 12 |
This will require being on the trusted network or a admins network and |
| 13 |
connecting to the magic destination IP to even see ssh. |
| 14 |
|
| 15 |
I prefer to do this in a firewall because it's easier to find connection |
| 16 |
problems in the future than sshd configs, expecially the larger the network |
| 17 |
you have to maintain. The first place any of your admins will check is the |
| 18 |
firewall. |
| 19 |
|
| 20 |
Also, for those that have access, configure your authenticating firewalls to |
| 21 |
block port 22 for anywhere and require authentication to open the network. |
| 22 |
But, most that have these should already be doing this ;) |
| 23 |
|
| 24 |
This is probably a little anal for kiddy attacks, but it's good measure |
| 25 |
if/when the next zero day ssh worm is really out. |
| 26 |
|
| 27 |
Rob |
| 28 |
|
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-security@g.o mailing list |
Archives