Re: Security/Hacked System - Now what?!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



bruce <badouglas@xxxxxxxxx> writes:
> And regarding the ssh/remote access, you specify public/private keys,
> and you have the key process run from the key file. This allows a user
> to be able to ssh into the box without having to use the ssh passwd,
> but only from the corresponding box that has the associated public
> (master/client) passwd/key setup to permit the login access.

You should set up the RSA or ECDHE private keys with a password.
ssh-keygen prompts you for a password when it cranks out the key for
you.

> But in this situation, if a user hacks into the 1st system, then they
> have access to the 2nd system, assuming they know the 2nd system's
> username. This would happen as the private/public key access file has
> been setup!

Without the decryption password for the RSA or ECDHE keys, they are
going nowhere.

On the other hand, you want *all* of your systems up to snuff with
all forms of unix password logins turned off.  Seems like you are
implying that some systems are easier to break into than others.  That's
not good.

/etc/ssh/sshd_config:

Protocol 2

# reset the host keys to only rsa or ecdsa
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

# rekey every hour or default data (1G - 4G depending on cipher)
RekeyLimit default 1h

SyslogFacility AUTHPRIV

# We use RSA/ECDSA.  If it hasn't completed in 10 seconds, there is a
# big problem.
LoginGraceTime 10

# Unlike what this looks like, it says that root may not use the unix
# password for authentication.  Root *must* use public-key. -wsr 
PermitRootLogin without-password

AuthorizedKeysFile	.ssh/authorized_keys

# no unix passwords any more.  RSA or ECDSA only.
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePAM no

X11Forwarding yes
UsePrivilegeSeparation sandbox		# Default for new installations.

# Set the keep-alive for a heartbeat every 60 seconds and a connection
# close after 30 minutes. -wsr 2003/11/26
ClientAliveInterval  60
ClientAliveCountMax  30

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# Cut down on the number of user accounts that can ssh in just in case
# some bug allows .ssh/authorized_keys files to be written.
AllowUsers root user1 user2 usern

# --- end ----


-wolfgang
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org




[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux