On 26Oct2009 22:44, loyal_barber <loyal_barber@
| I googled this and got an option I thought would really work for me.
| 1. disallow ssh login by root
Highly recommended. We set up ssh as:
- only public key authentication; no passwords
- no root login
- explicit AllowUsers; only specified users can log in
- a rate limiting firewall rule; aside from a small whitelist,
any remote IP trying to do more than a small number of ssh
connections per minute gets put in a table used to block (drop all
packets) from that IP
This has an amazing effect upon the guff in Logwatch from script
kiddies.
| 2. restrict su to root to the wheel group
We mostly just rely on root's password being a longish random string.
With no remote access this becomes impractical to brute force or guess.
| 3. disallow remote and local login for root
Hmm. We allow local login for root i.e. at the console.
| #2 was accomplished with this command:
| auth required /lib/security/
| however, this allows users in the wheel group to su to root without
| entering a password.
Personally I'd be unhappy with that. The sudo command may be a better
route if you want passwordless root powers; you can make command
specific things there.
I'd just rely on only letting a very small number of people know the
root password (== your wheel group) plus a copy on paper in a safe
(if its that kind of setup - commercial).
Disallowing local root login can make things hard to recover if your
admins are unavailable in an emergency (i.e. the safe is the non-admin's
route into the box).
I do toy with the idea of running two sshes: one listening on the box's
exterior IP address, allowing in only the AllowUsers list, and another
listening on 127.0.0.1, allowing only root, and requiring an ssh key
whose private half is not stored on the box. This would provide a method
for remote root-power administration via a multihop ssh connection:
ssh me@box ssh root@127.0.0.
I would have a key for me, and a _different_ key for root@127.0.0.
and forward both over an ssh-agent forward. The root@127.0.0.
useless from outside.
Cheers,
--
Cameron Simpson <cs@zip.com.au> DoD#743
http://www.cskk.
Ed Campbell's <ed@Tekelex.Com> pointers for long trips:
2. Figure out the most money you could possibly spend, and take at least
double.
Change settings via the Web (Yahoo! ID required)
Change settings via email: Switch delivery to Daily Digest | Switch format to Traditional
Visit Your Group | Yahoo! Groups Terms of Use | Unsubscribe
No comments:
Post a Comment