On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said:
This is your helpful Friday reminder to always pay close attention to the security settings of all of the web sites under your administration. Otherwise, anonymous skript kiddiez could show up at any moment and deface one or more of your web sites. (It happens a lot.)
Just this week, I have seen an (unconfirmed) report that there is an organized effort that's abusing SSH keys that lack passphrases - if they pwn a system and find one, they go surfing it as far as they can. And yes, I know that automated systems can't use passphrases.. so remember to check to see if you can use 'force-command=' in the known hosts file so that the key can only issue one command. (yes, this means that if the automation host has to do a dozen different things, it needs a dozen keypairs. Security is always tradeoffs.) 'ssh-keygen -H' also helps control things.