On Mon, November 19, 2007 7:19 pm, Arthur Corliss wrote:
> 1) Root/administrator accounts should *never* be allowed to log in
> remotely. The only access to superuser accounts should be on a
> physical console or via su from a wheel group member. Let me be
> more blunt: if you allow root to log in remotely for any reason
> you're an idiot.
There's that vice-presidential spirit we're looking for. <grin>
> 2) Sshd should be configured to restrict login privileges to a specific
> group (other than users), and it should not allow empty passwords.
> This guarantees that just because some idiot packager who adds
> accounts to your box to support a service but forgets to either
> randomize or set a password can't be used to gain shell access.
> 3) Ideally, you should also be running a script that watches for
> failed authentication attempts and automatically firewalls off the
> offending IP after n number of attempts.
> 4) Also ideally, if you can restrict access to ssh to specific networks
> and/or IPs by both firewall and tcp wrappers, you should.
Recently, I've had a resurgent interest in port knocking. Has anyone
here tried that? Any tools to recommend?
-- Bryan Medsker bryanm@acsalaska.net --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Tue Nov 20 00:24:39 2007
This archive was generated by hypermail 2.1.8 : Tue Nov 20 2007 - 00:24:40 AKST