Rookit infections: AARRGH!

Paul Lussier p.lussier at comcast.net
Tue May 10 21:06:14 EDT 2005


Neil Joseph Schelly <neil at jenandneil.com> writes:

> Does anyone here have any additional insight to the best practice?  I know 
> it's considered best practice, but I never really found it to be logical and 
> most only give the reasoning that is a best practice.

Well, you could disallow root login using a password via ssh and which
mandates the use of keys.  This at least means that a brute force
dictionary attack against the root account won't work.

The other thing you can do is disallow direct access from the internet
to any system via ssh except a specific bastion host.  From this host,
you may log into other systems on the internet.

The bastion host should also be configured to use a *different*
authentication mechanism than the internal systems.  For example, auth
to the bastion host via ssh keys, and auth against internal systems
via Kerberos or LDAP, or something else (obviously ssh key passphrases
and kerberos or LDAP passwords should be different).

-- 

Seeya,
Paul



More information about the gnhlug-discuss mailing list