[wplug] Any tips against this kind of ssh break-in?
Chester R. Hosey
Chester.Hosey at gianteagle.com
Fri Jul 15 16:54:01 EDT 2005
On Fri, 2005-07-15 at 16:08 -0400, Jonathan Billings wrote:
> On 7/15/05, Brian A. Seklecki <lavalamp at spiritual-machines.org> wrote:
> >
> > > I did notice that in sshd_config, root was allowed to login. I just
> > > turned that off.
> >
> > GOOD GOD!! What distro* still ships with PermitRootLogin set to "yes" by
> > default ?!
>
> We build all our systems with PermitRootLogin set to "yes", however we
> don't set a local root password. We use kerberos authentication, so
> no one is typing a password at the ssh password prompt.
>
> Forcing a sysadmin to type a root password on a remote system or
> somehow escalate privileges (which would have to be the case if we
> couldn't log in as root) is just as much a security concern, because
> the local system could quite easily be compromised.
>
Add:
auth required /lib/security/$ISA/pam_wheel.so use_uid
to /etc/pam.d/su. Requiring users to be in the wheel group in order to
use su can reduce the likelihood of guessing a weak user password,
logging in, and guessing a weak root password.
Strong passwords are good. Run a password cracker against /etc/shadow as
a precaution and be sure to scold any users whose passwords are insecure
enough to be cracked.
You could be a bit more pushy and expire all passwords and set up
pam_passwdqc instead of cracklib. It lets you do some neat things with
password strength requirements:
http://security.linux.com/security/04/09/20/1555239.shtml?tid=35
Have a great weekend all.
Chet
More information about the wplug
mailing list