Re: attempts to hack in?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2017-06-30 16:08, Cameron Simpson wrote:
On 30Jun2017 10:11, Greg Woods <woods@xxxxxxxx> wrote:
On Fri, Jun 30, 2017 at 9:36 AM, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
It's not necessarily a target on *you*, but very probably it's just
targeting any computer that responds to them.  Poke, get a response,
keep prodding...

Yeah, pretty much all of this is totally automated these days. [...]
If you have an exposed ssh server, you will see this kind of
doorknob-rattling. I get around it in one of four ways:

You omitted way 0: DO NOT ALLOW PASSWORD BASED SSH. This is the single best thing you can do. Allowing only key-based access simply prevents all password based access and is cryptographicly strong, instead human-prose-imagination strong, which is typically awful.

Way 0(a) is to "PermitRootLogin No" and 0(b) is to have a fixed and small "AllowUsers" setting.

All your other suggestions come after that in terms of usefulness.

Password remote login: just don't do it.

1) Turn off sshd if
I don't really need it on a given system; 2) Use firewall rules to allow
access only from certain known remote locations (so I can get into my home
system from my desktop at work, for instance); 3) run sshd on a
non-standard port (won't stop the serious bad guys, but is usually good
enough to stop the automated doorknob-rattlers); and 4) If you really have
to have an ssh server that allows access from unknown remote locations, run
something like fail2ban that at least automatically blocks them if they try
too often from the same place. And the most important thing is, any of
these defenses can fail if you make a mistake configuring them (won't
happen because we're all perfect, right? :-) , so the most important thing
you can do is use strong passwords so that the brute force guessing cannot
succeed.

No, the most important thing is to make password guessing pointless.

Cheers,
Cameron Simpson <cs@xxxxxxxxxx>

And what do I do if I have to login from a different machine than one of mine? Should I hang a tag or key with the key to my computers on my key chain when traveling? A long password like farcicalGrebling is not likely to be found by anybody in any reasonable amount of time, eg. before I am dead and decomposed.

I developed a bad habit back in the 50s of actually running numbers on problems. I think that is why I was a heartless young adult, eg a conservative/libertarian sort of creature. Numbers talk to me. Ideals don't.

I've noticed in security there are a LOT of "assumptions" or "ideals" that really ain't so. Change your password every x days is one such. Change it whenever you think there is any chance it was compromised regardless of the number of days. I'm working on decades on that one. I am VERY careful where I type in any passwords to my accounts. I pick reasonably safe for a high value of reasonably rather than try to fool myself that I can make it absolutely safe. It's several thousands of times harder to get in through a password on my systems than it is to use other malware means. So why harden ssh logins any further? Make a Fermi number analysis of the likelihood of problems and work on the worst ones not the best ones.

{^_^}
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux