Network Security: Detailed info on Re: RE: Internet SSH scans

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Incidents

[Top] [All Lists]

Re: RE: Internet SSH scans

from [Michael . Lang] Network Security

[Permanent Link]

Subject:	Re: RE: Internet SSH scans
Date:	23 Mar 2006 09:01:08 -0000

*urgh* thats why things go terribly wrong. 

Security by obscurity isn't save, wasnt and will never be, if you just dont 
want the LogEntrys, exclude it from your Syslog.

if you want to secure your SSH Service, try following steps:

 - if possible, use a seperate LAN (MGMT) and bind 
    your Service to this LAN only.
    if theres no physical seperated LAN, build a 
    virtual seperated LAN (IPSec, ...)
 - disable the weakest Authentication (Password)
 - enforce your Authentication (RSA Keys) by 
    limiting the usage (man sshd, look for from=)
 - enforce better policy in SSHD config, limit 
    retrys, ... for my understanding it doesnt 
    make sence to lockout root. there are enought 
    exploits to gain root access anyway.
 - if you still want to limit the IP/TCP access to  
    SSH Service, do it on your Router infront of 
    the Machine.

there are no 15 bricks to stumble over  for allowed access, its transparent for 
upgrades, and its even more secure as theres no forgotten dependency.

my 5 cents
Greetz mIke

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: RE: Internet SSH scans, (continued) Re: RE: Internet SSH scans, joakim . berge Re: Re: RE: Internet SSH scans, mrbits RE: Internet SSH scans, Adriano Carvalho Re: Internet SSH scans, Valdis . Kletnieks Re: Internet SSH scans, Adriano Carvalho RE: Internet SSH scans, William Tarkington Re: Internet SSH scans, ilaiy Re: Internet SSH scans, Stephen J. Smoogen RE: RE: Internet SSH scans, Teodorski, Chris Re: Re: Internet SSH scans, notonyour Re: RE: Internet SSH scans, Michael . Lang <= Re: Internet SSH scans, Valdis . Kletnieks

Previous by Date:	Re: Internet SSH scans, Adriano Carvalho
Next by Date:	RE: A pretty neat Chase Phish, Jason Burton
Previous by Thread:	Re: Re: Internet SSH scans, notonyour
Next by Thread:	Re: Internet SSH scans, Valdis . Kletnieks
Indexes:	[Date] [Thread] [Top] [All Lists]