On 5 Jan 2012, at 11:22, Rory Browne wrote:
> On 5 January 2012 09:50, Niall O Broin <niall at magicgoeshere.com> wrote:
>> On 5 Jan 2012, at 08:21, Kevin Brennan wrote:
>>>>> - make sure root access via ssh is disabled
>>>> I see this touted now and then. What is the rationale? What I hear offered is "Well, you first have to get access to an account, and then you have to have the root password" i.e. you're forcing one extra layer of security . Well, why not then force 2 extra, with e.g. hardware tokens. Or 3 extra, with IP address restrictions too.
>> I'm not sure where you're coming from here. Depending on the security
> requirements of the host/service in question, then you'd decide how
> many layers of security you need, verses the cost ( including time /
> effort ) of each one. I think disabling root via ssh is a relatively
> cheap layer to add, in time, effort, inconvenience, and cash terms.
For me, disabling root access via ssh would be a huge inconvenience, as I access dozens of systems via ssh on a regular basis.
> Some environments do indeed implement these three layers, as well as a
> fourth time-based layer.
>> I know of a group who once disabled ssh during the day, but that was
> to stop their BOFH knowing they were running ssh at night.
Devious of them ;-)
> Computer security is all about adding layers, assuming at every layer,
> that an attacker has compromised every other layer.
Oh indeed - you pays your money, and you takes your choice.
>>> - move ssh from port 22
>>>> If moving ssh from port 22 enhances your security, then you're doing it wrongly. All that does is keep your log files less cluttered by getting rid of (most of) the script kiddies. The only way they can get in is by guessing passwords, and you absolutely should not allow password authenticated access via ssh for that very reason - key based access is the way to go.
>> I agree - passphrased keys are the way to go - they're cheap, and add
> quite a good layer of security. However there is a chance that some of
> the script-kiddies will find an exploit in your sshd before you get it
> fixed. If those scriptkiddies work by just scanning hosts for openings
> on port 22, then you avoid their attack by listening on a different
> port. Unless you're running http://www.hackthissite.com or something
> similar, it would be generally preferable not to be attacked whether
> or not your systems are vulnerable.
Leaving most of my servers running ssh on 22 is also a matter of convenience, though in this case not mine - I could happily solve that via my ssh config transparently. However, numerous other people have to access the servers, and there are automated systems running over ssh too.
> Once again depending on your requirements, port-knocking, and SPA might be layers worth considering adding here too.
I've used port knocking on occasion, but generally don't bother.
Niall
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
