Different network types will have different abilities to enforce this. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Jared Mauch" <jared@puck.nether.net> To: "Joe Abley" <jabley@hopcount.ca> Cc: nanog@nanog.org Sent: Saturday, December 26, 2015 3:21:03 PM Subject: Re: de-peering for security sake
On Dec 26, 2015, at 11:14 AM, Joe Abley <jabley@hopcount.ca> wrote:
With respect to ssh scans in particular -- disable all forms of password authentication and insist upon public key authentication instead. If the password scan log lines still upset you, stop logging them.
Or if you can’t get users to use keys (aside from remove the users) consider things like: example /etc/ssh/sshd_config Match User root PasswordAuthentication no for users that should not be permitted to fall-back to password authentication. - Jared