This is your helpful Friday reminder to always pay close attention to the security settings of all of the web sites under your administration. Otherwise, anonymous skript kiddiez could show up at any moment and deface one or more of your web sites. (It happens a lot.) https://ipv4.plus/
On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said:
This is your helpful Friday reminder to always pay close attention to the security settings of all of the web sites under your administration. Otherwise, anonymous skript kiddiez could show up at any moment and deface one or more of your web sites. (It happens a lot.)
Just this week, I have seen an (unconfirmed) report that there is an organized effort that's abusing SSH keys that lack passphrases - if they pwn a system and find one, they go surfing it as far as they can. And yes, I know that automated systems can't use passphrases.. so remember to check to see if you can use 'force-command=' in the known hosts file so that the key can only issue one command. (yes, this means that if the automation host has to do a dozen different things, it needs a dozen keypairs. Security is always tradeoffs.) 'ssh-keygen -H' also helps control things.
On Fri, May 15, 2020 at 4:25 PM Valdis Klētnieks <valdis.kletnieks@vt.edu> wrote:
On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said:
This is your helpful Friday reminder to always pay close attention to the security settings of all of the web sites under your administration. Otherwise, anonymous skript kiddiez could show up at any moment and deface one or more of your web sites. (It happens a lot.) https://ipv4.plus/
Just this week, I have seen an (unconfirmed) report that there is an organized effort that's abusing SSH keys that lack passphrases - if they pwn a system and find one, they go surfing it as far as they can.
You may have missed the schadenfreude in Ronald's post. Give it a rest Ronald. You won. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Big plus 1 to Bill's point. On Fri, May 15, 2020, 6:37 PM William Herrin <bill@herrin.us> wrote:
On Fri, May 15, 2020 at 4:25 PM Valdis Klētnieks <valdis.kletnieks@vt.edu> wrote:
On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said:
This is your helpful Friday reminder to always pay close attention to the security settings of all of the web sites under your administration. Otherwise, anonymous skript kiddiez could show up at any moment and deface one or more of your web sites. (It happens a lot.) https://ipv4.plus/
Just this week, I have seen an (unconfirmed) report that there is an organized effort that's abusing SSH keys that lack passphrases - if they pwn a system and find one, they go surfing it as far as they can.
You may have missed the schadenfreude in Ronald's post.
Give it a rest Ronald. You won.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
+1 On Sat, May 16, 2020 at 4:44 AM Mike Hale <eyeronic.design@gmail.com> wrote:
Big plus 1 to Bill's point.
On Fri, May 15, 2020, 6:37 PM William Herrin <bill@herrin.us> wrote:
On Fri, May 15, 2020 at 4:25 PM Valdis Klētnieks <valdis.kletnieks@vt.edu> wrote:
On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said:
This is your helpful Friday reminder to always pay close attention to the security settings of all of the web sites under your administration. Otherwise, anonymous skript kiddiez could show up at any moment and deface one or more of your web sites. (It happens a lot.) https://ipv4.plus/
Just this week, I have seen an (unconfirmed) report that there is an organized effort that's abusing SSH keys that lack passphrases - if they pwn a system and find one, they go surfing it as far as they can.
You may have missed the schadenfreude in Ronald's post.
Give it a rest Ronald. You won.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
-- Ing. Etienne-Victor Depasquale Assistant Lecturer Department of Communications & Computer Engineering Faculty of Information & Communication Technology University of Malta Web. https://www.um.edu.mt/profile/etiennedepasquale
On Fri, May 15, 2020 at 07:24:51PM -0400, Valdis Klētnieks wrote:
And yes, I know that automated systems can't use passphrases.. so remember to check to see if you can use 'force-command=' in the known hosts file so that the key can only issue one command. (yes, this means that if the automation host has to do a dozen different things, it needs a dozen keypairs. Security is always tradeoffs.)
No need for trade-offs here; you can have a `command=` (it's not `force-command=`) wrapper script that validates the command that was sent (via `$SSH_ORIGINAL_COMMAND`) and does an `exec` if it's on the "approved" list. One key, many commands, any command you don't allow gets blocked. - Matt
participants (6)
-
Etienne-Victor Depasquale -
Matt Palmer -
Mike Hale -
Ronald F. Guilmette -
Valdis Klētnieks -
William Herrin