[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: barrie at reboot-robot.net (Barrie Dempster)
Subject: Re: Re: Any update on SSH brute
force attempts?
On Tue, 2004-10-19 at 11:00 +0100, Ronny Adsetts wrote:
> How about where you have no local users except root - all other users are via
> LDAP or similar - and some catastrophe takes out your user DB? Allowing root
> ssh login will at least get you access to the box.
>
> Allowing root ssh access but setting policy on its use seems a better option
> to me. And running jack the ripper on your password hashes of course.
>
> Ronny
Firstly, your DB would be backed up so you could restore the system,
however ignoring that, and lets assume that for some reason we can't
restore, which I admit is possible.
You can configure your machine to fallback onto local password files in
the absence of the the LDAP server, so I would keep a local user account
on the server for just such emergency scenarios.
This is in the situation where i can't get to the box locally, however I
always provision for local access either in person or via a third party
to any system I maintain, so I have never had to deal with this. Local
access is a must in order to retain reliable uptime in my opinion.
Multi-admin to me, means multi-access level, fine control and not giving
any one more access than they require. I can see your point, but the
technology provisions for it.
(excellent domain/company name BTW)
Regards,
--
Barrie Dempster (zeedo) - Fortiter et Strenue
http://www.bsrf.org.uk
[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041019/7901ece4/attachment.bin
Powered by blists - more mailing lists