D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Server got hacked

 

On 25 Nov 2013, at 16:05, bad apple <mr.meowski@xxxxxxxx> wrote:

> On 25/11/13 14:19, Matt Lee wrote:
>> Is there any reason to allow root SSH access at all?
>> 
>> Keys only, users only, block failed IPs -- maybe consider changing the
>> SSH port even?
>> 
> 
> No, never ever ever ever allow root logins. That's basically rule number
> 0, very poor show.
> 
> Whilst I agree that changing the default SSH port is useless, only allow
> key based logins for a couple of restricted users. Use visudo to lock
> down your elevation privileges so only certain users can initiate system
> tasks. Alternatively, remove sudo completely and manually elevate to
> root with "su -".

Yes but you are the kind of paranoid person who ensures their SSH keys are password 
protected, when this is a clear plus (e.g. password plus keys).

I usually lock SSH access to restricted IP address ranges.

I use Google Authenticator as a second factor for my own use, provides a fairly 
robust barrier, and means I only need carry my phone not my SSH keys as well. 

Then I have to ensure the phone locks properly which is proving harder than expected 
since iOS 7.

That said a robust password is beyond password guessing in any reasonable use of 
bandwidth/resources, in this regard 2FA may have advantages over SSH keys, since one 
scenario is they have keyloggers/access to your client machine in some form by which 
they stole your password and your one time password, but that one time password is 
already worthless. Theoretically they've one, in practise 2FA may stave them off a 
little longer and thus let you spot the problem before it gets any worse.

All my personal rules are subject to relaxation when necessary to get the job done, 
at work I go around making sure people don't do that without permission ;)
-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq