Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] Re: Re: Any update on SSH brute force attempts?
From: Ronny Adsetts (ronny.adsettsamazinginternet.com)
Date: Wed Oct 20 2004 - 04:56:47 CDT
Barrie Dempster said at 19/10/2004 11:47:
> Firstly, your DB would be backed up so you could restore the system,
> however ignoring that, and lets assume that for some reason we can't
> restore, which I admit is possible.
Yeah, the DB would be backed up. That's slightly different to getting remote
access when the user DB is unavailable for whatever reason.
> You can configure your machine to fallback onto local password files in
> the absence of the the LDAP server, so I would keep a local user account
> on the server for just such emergency scenarios.
Exactly. Fall back to the local passwd is exactly what I was saying. Using the
root user in this case rather than a separate local user just means one less
thing to maintain - you always have a local root anyway.
Setting up the box with a long enough random password. Big letters "In case of
Or, like many have suggested, allow root access with keys only.
> This is in the situation where i can't get to the box locally, however I
> always provision for local access either in person or via a third party
> to any system I maintain, so I have never had to deal with this. Local
> access is a must in order to retain reliable uptime in my opinion.
Local tty access may be a 3 hour drive to the datacenter. Hands on help from
many datacenters gives you reboots only (depending who's shift it is).
> Multi-admin to me, means multi-access level, fine control and not giving
> any one more access than they require. I can see your point, but the
> technology provisions for it.
Of course, many layers, minimal access.
<shrug> It's a preference thing really. I don't see that allowing remote root
ssh access gives much away provided the password owners and the password are
> (excellent domain/company name BTW)
Thanks. We spent ages trying to come up with something snappy, etc., and I
think we'd just seen one to many things on the 'net that brought about the
reaction of "That's amazing!". Like the guy with the computer comtrolled
christmas lights that you can control from his website... and the Big Red
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
Full-Disclosure - We believe in it.