l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2006 Sep 21 08:43

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] security dilemma
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] security dilemma



On Wed, 20 Sep 2006, Cylar Z wrote:
> Here's the issue. As with many broadband customers, my
> IP changes occasionally, and every so often, my
> assigned client IP address falls outside of the range
> defined by the firewall and/or TCP wrappers on the
> remote Red Hat server. However, expanding the range of
> IP's it allows to try logging in is a problem for two
> reasons:
> 
> 1. I don't know the full range of IP's offered by my
> ISP. 
>
> 2. My logs have recorded numerous break-in attempts on
> the server, by individuals originating from the range
> listed above. 


There are three separate things you can do to minimize the
attackability of your accounts:

1) Don't allow password based ssh logins. Use ssh keys with passwords
on the keys to log in instead.

2) Disable/delete all accounts which aren't in use; make sure their
passwords are invalid.

3) Install fail2ban or an equivalent to automatically ban IPs for a
period of time once they have had a certain number of failures in a
time period.

4) If you don't do #1, make sure that all of the passwords on accounts
are not trivially guessable. Using pam's cracklib can help enforce
this if you have multiple users.

That being said, ssh password guessing attacks are pretty much the
easiest type of attack to defend against; there are many other modes
of attack which are more likely to compromise your machine.


Don Armstrong

-- 
"Facts" are the refuge of people unwilling to reassess what they hold
to be "True".

http://www.donarmstrong.com              http://rzlab.ucr.edu
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.