[vox] security dilemma
Don Armstrong
don at donarmstrong.com
Thu Sep 21 00:52:23 PDT 2006
On Wed, 20 Sep 2006, Cylar Z wrote:
> Here's the issue. As with many broadband customers, my
> IP changes occasionally, and every so often, my
> assigned client IP address falls outside of the range
> defined by the firewall and/or TCP wrappers on the
> remote Red Hat server. However, expanding the range of
> IP's it allows to try logging in is a problem for two
> reasons:
>
> 1. I don't know the full range of IP's offered by my
> ISP.
>
> 2. My logs have recorded numerous break-in attempts on
> the server, by individuals originating from the range
> listed above.
There are three separate things you can do to minimize the
attackability of your accounts:
1) Don't allow password based ssh logins. Use ssh keys with passwords
on the keys to log in instead.
2) Disable/delete all accounts which aren't in use; make sure their
passwords are invalid.
3) Install fail2ban or an equivalent to automatically ban IPs for a
period of time once they have had a certain number of failures in a
time period.
4) If you don't do #1, make sure that all of the passwords on accounts
are not trivially guessable. Using pam's cracklib can help enforce
this if you have multiple users.
That being said, ssh password guessing attacks are pretty much the
easiest type of attack to defend against; there are many other modes
of attack which are more likely to compromise your machine.
Don Armstrong
--
"Facts" are the refuge of people unwilling to reassess what they hold
to be "True".
http://www.donarmstrong.com http://rzlab.ucr.edu
More information about the vox
mailing list