Re: Heads up: Brute force attacks on the rise recently

2009/10/29 Tom Horsley <tom.horsley@xxxxxxx>:
On Thu, 29 Oct 2009 09:59:27 -0400
rgheck wrote:

On 10/28/2009 07:44 PM, Tom Horsley wrote:
On Wed, 28 Oct 2009 18:03:29 -0500
Michael Cronenworth wrote:


-Make sure your root password is not a dictionary word.

Better yet, make sure you only allow public key login from
outside the trusted local network. I've been setting up my
sshd that way for a long time now.


Can you show how to do this? I only know how to make the choice globally.

rh



I globally disable various things in the main /etc/ssh/sshd_config
file, then I use a "Match" directive at the bottom, which for me
looks like:

Match Address 127.0.0.1,192.168.1.*
Banner /etc/nohamster.txt
GSSApiAuthentication yes
KerberosAuthentication no
PasswordAuthentication yes
KbdInteractiveAuthentication no
RhostsRSAAuthentication no
RSAAuthentication no

That overries the global settings for requests originating
from the matched IP addrs.

I just mentioned this privately to someone. There are more vectors
than just SSH, and the principal is the same. Unless you have no way
into your network from the outside, (no VPN, no webservers, nothing),
there's a potential for a bruteforce attack.

Unfortunately, in our particular case, we can't restrict ssh to
internal IP ranges, so we had to implement a different solution.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Relevant Pages