14 Mar
2010
14 Mar
'10
6:26 p.m.
On Sun, Mar 14, 2010 at 08:51:12AM +0000, Andy Smith wrote:
Do you think there's any pro-active measures that
would be
acceptable to VPS customers? Typical ways to foil SSH dictionary
attacks:
1) Only use strong passwords.
Ideal, but plainly doesn't work.
2) Don't use passwords at all, only keys.
Will drive off potential customers quite rapidly -- nice to have
and to encourage, but is complex to set up right.
3) Disable root login.
I'm not sure how much this gets you -- as others have pointed out,
the default user in Ubuntu has root via sudo anyway, and there's
enough local root exploits floating around that it's probably not a
big hurdle.
4) Restrict the list of usernames that are valid, in
combination
with (1) and (3).
Again, I don't think this gets you much.
5) Install DenyHosts or Fail2Ban.
I think this could be a winner. Those who know they don't want it
are probably more technical, and thus more able to turn it off, in
comparison to those who need it because their systems are less secure
(by poor password selection).
6) Move sshd to another port.
This one is a case of simply not being low-hanging fruit. I'm still
surprised that the crackers haven't caught on to this yet.
More?
- Run your own password cracker and warn people about successful
keys? (Would require agreement beforehand to avoid legal issues,
but could go in the Ts&Cs...)
- Provision the standard VPS with logcheck set up to mail the admin
about login attempts. That might then shock them enough to read an
FAQ and act on it with some of the proactive measures above, such
as (1) and (2).
Hugo.
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- ... one ping(1) to rule them all, and in the ---
darkness bind(2) them.