Ruminations on an SSH attack
Bill McGonigle
bill at bfccomputing.com
Sun Dec 18 20:49:01 EST 2005
On Dec 18, 2005, at 14:46, Bill Sconce wrote:
> It didn't succeed, so far as I've
> been able to tell)...
I sleep better at night knowing my servers have these lines in them:
Protocol 2
PermitRootLogin no
IgnoreRhosts yes
PasswordAuthentication no
AllowUsers ...
These settings aren't right for everybody, but they are very right for
most people I encounter and thwart most dictionary attacks, even
against weak passwords. I do work at some places with insane password
policies, and this helps a bit.
The one time I did have to clean up after an ssh break was before I
adopted this policy, exploited a weak user's password, and, fortunately
was just limited to a compromise of that one account - an ircd was
running and a rootkit wasn't installed (though certainty on the last
point is always in question until you can do offline forensics).
> OK, thousands of attempted logins - that's what a dictionary attack IS.
There have also been attempts to find OpenSSL vulnerabilities with
scripts that look like a dictionary attack (the feint).
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the gnhlug-discuss
mailing list