Re: [?] DYNDNS host vulnerability

Doug Mitton wrote:

Thats one of the reasons why it is recommended that you
configure your system to not allow "root" to log in remotely.

The best thing is to use Public Key authentication with SSH and
disallow password access at all. That way there's simply no way
an intruder could get in, as long the SSHD itself has no
security leak. On the remote side you should put all the
programs you need for administrating things (but only those
programs) into sudoers so that your usual admin account can use
them w/o password. For everything else a password should be
required, or another account should be used.

Now, it is a matter of guessing a valid user ID as well as a
password, THEN trying to guess "roots" password..

And if you got pam_wheel, then only users in the wheel group
may "su".

I also use non-standard ports for my admin services

Doesn't really aid in security. nmap tells you which ports are
open. And to see what deamon is behind it, you just do a trial
and error test of several protocols.

Port Knocking is here the better way to conceal things.

as well as firewall rule to lockout multiple access attempts in
a short period of time.

This is actually a good idea, but make the firewall rule so, that
only access attempts that failed to authenticate result in a
denial.

Wolfgang Draxinger
--
E-Mail address works, Jabber: hexarith@xxxxxxxxxx, ICQ: 134682867

.

Relevant Pages

  • Re: [?] DYNDNS host vulnerability
    ... configure your system to not allow "root" to log in remotely. ... The best thing is to use Public Key authentication with SSH and ... On the remote side you should put all the ... The main reason for the 1) alternate server ports ...
    (comp.os.linux.networking)
  • Re: Restricting access to a web server by IP
    ... > remote control clients, etc - we remotely ... > The agrument against is that mpst vulnerabilities seem to come through ... > servers, and blocking access to all IPs accept those on the allowed list - ...
    (comp.security.misc)
  • Re: Restricting access to a web server by IP
    ... > remote control clients, etc - we remotely ... > The agrument against is that mpst vulnerabilities seem to come through ... > servers, and blocking access to all IPs accept those on the allowed list - ...
    (comp.security.firewalls)
  • Re: Restricting access to a web server by IP
    ... > remote control clients, etc - we remotely ... > The agrument against is that mpst vulnerabilities seem to come through ... > servers, and blocking access to all IPs accept those on the allowed list - ...
    (alt.computer.security)
  • Re: smb.conf
    ... I just came across this post and noted you're use of the smb browser. ... does it allow one to actually work with file on remote ... >>Linux machine is located as well as the Samba server, ... > to both machines as root. ...
    (linux.redhat)