Re: 0Day?Jul 08 2009 11:48PM Jon Kibler (Jon Kibler aset com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sujith M K wrote:
> Ref Link : http://secer.org/hacktools/0day-openssh-remote-exploit.html
>
> Securing the sshd of your customer's servers ASAP by following
> atleast the following steps.
>
> 1) Change Default SSH Port
> 2) Disable Direct Root Login
> 3) Disable common wheel users like admin. Use a hard to guess wheel username
> 4) Disable shell access for all customers.
> 5) If possible allow access to SSH only from Bobcares and Customer's
> ip address ( Use firewall and hosts.{allow,deny} file to do this. )
>
> Step 1, 2 and 3 makes it hard for the users to guess ssh port and wheel username
> Step 4 prevents user accounts from getting hacked.
> Step 5 make it almost 100% fool proof unless someone from own network
> or the client's network tries to hack.
>
> Regards
> Sujith
>
Good general advice.
I always either use a port knocker or have ssh only listen on an internal IP
accessible only through a VPN. I was not worried about my or my customer's
systems, but was curious if anyone knew what was going on.
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924 (NEW!)
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
Hash: SHA1
Sujith M K wrote:
> Ref Link : http://secer.org/hacktools/0day-openssh-remote-exploit.html
>
> Securing the sshd of your customer's servers ASAP by following
> atleast the following steps.
>
> 1) Change Default SSH Port
> 2) Disable Direct Root Login
> 3) Disable common wheel users like admin. Use a hard to guess wheel username
> 4) Disable shell access for all customers.
> 5) If possible allow access to SSH only from Bobcares and Customer's
> ip address ( Use firewall and hosts.{allow,deny} file to do this. )
>
> Step 1, 2 and 3 makes it hard for the users to guess ssh port and wheel username
> Step 4 prevents user accounts from getting hacked.
> Step 5 make it almost 100% fool proof unless someone from own network
> or the client's network tries to hack.
>
> Regards
> Sujith
>
Good general advice.
I always either use a port knocker or have ssh only listen on an internal IP
accessible only through a VPN. I was not worried about my or my customer's
systems, but was curious if anyone knew what was going on.
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924 (NEW!)
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpVMGQACgkQUVxQRc85QlNuXwCePbtl6aXKhl/2D37kAQ/gmeAA
RecAnjUf+3WIsCJtVJTHSyz/syqfURvS
=Hi5p
-----END PGP SIGNATURE-----
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
[ reply ]