If you're not religious about locking your screen, you're asking to be
compromised in any event. There is nothing more potent than console
access when it comes to providing an easy route to break in to a
system.
For instance: If you're not religious about locking your screen, are
you religous about logging out of all root shells you may use before
you walk away? I find I need to slip away while mid-process once and a
while. If I wasn't religous about locking my screen someone could walk
up to my system, create a nefarious account, and clear the screen
before they walk away and I would be unlikely to notice.
If you're not religous about locking your screen, you need an
automatic screen saver that locks your screen, and you need that
screen saver configured to go off after no more than about 2 minutes
of inactivity. I have used such configurations in the past. These days
I do that *and* I'm religous about locking my screen.
If you normally use GNU Screen while you're su'ing on a remote
machine, you should at least configure the internal GNU Screen
screensaver with locking. It is simple to configure and it can prevent
someone from walking up and gaining access to a remote root shell.
Configured to "rain" or something it can be a handy visual reminder
"finish the task here and log out!"
Also a note, any reasonable key agent can be configured to forget the
passphrase after a particular period of time (even immediately). Using
a short passphrase and a key agent that forgets the passphrase
immediately with public key authentication is still better than being
botnet attacked for months on end. (With public key authentication
your site gets dropped from the attack list of the botnets -- they'll
know they can never succeed. Otherwise they keep consuming your
precious upstream bandwidth with requests.
Personally, if I have a server, I want to preserve my upstream
bandwidth. These days it tends to be crazily lopsided from the
downstream bandwidth. It also removes any possibility of an attack
showing up in logs which frees a lot of mental resources for me.
(While on personal machines typically only 3 folks will have SSH
access, I've administered systems where they guessed account names of
users that can log in -- rarely but it has happened to me. In no case
did they actually catch a password/passphrase, but knowing the
username is enough of a scare.)
Cheers,
Steven Black
On Wed, Jul 20, 2011 at 10:32 PM, Thomas C. Knoeller <tck@pretend.net> wrote:
> On Wed, Jul 20, 2011 at 12:22 PM, Steven Black <yam655@gmail.com> wrote:
>>
>> Make sure you use Public Key authentication and disable system
>> password authentication. A lot of the SSH attacks are done by botnets.
>> [...]
>
> Disagree here. I am more worried about coworkers then script kiddies.
> My coworkers know that I have ssh-agent running all the time, and
> they know the vanity domain of my home server. It would take a
> coworker less time to hack me then it takes for me to walk to the
> kitchen and back. Since I am not religious about locking the screen
> each time I walk away from the laptop, and because of the nature of
> the kids I (used to) work with, I would never use public key on a
> public facing interface.
>
> But I should mention that I also got really sick of the script kiddie
> login attempts, so I did my own homegrown solution. Since I have a
> publicly accessible web server running on the gateway host, I created
> a small ssl'd cgi script that, when invoked, adds the connecting ip
> address to the /etc/hosts.allow file for the sshd service. Since it
> is ssl'd, the web server password auth is not seen cleartext on the
> wire. And since it is just opening up the ssh port, I don't worry
> about having a strong auth password. It's worked pretty well for me
> for several years now.
>
> That said, I do enable PKI access when inside my firewall, so I have
> mostly a false sense of security. With easily installable keyloggers
> and with wifi access to the gooey center of my home network, there are
> still easily accessible vectors for someone determined to get in...
>
> -Tom
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
No comments:
Post a Comment