Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Re: Any update on SSH brute force attempts?
From: Ronny Adsetts <ronny.adsetts () amazinginternet com>
Date: Wed, 20 Oct 2004 10:56:47 +0100

Barrie Dempster said at 19/10/2004 11:47:
Firstly, your DB would be backed up so you could restore the system,
however ignoring that, and lets assume that for some reason we can't
restore, which I admit is possible.

Yeah, the DB would be backed up. That's slightly different to getting remote access when the user DB is unavailable for whatever reason.

You can configure your machine to fallback onto local password files in
the absence of the the LDAP server, so I would keep a local user account
on the server for just such emergency scenarios.

Exactly. Fall back to the local passwd is exactly what I was saying. Using the root user in this case rather than a separate local user just means one less thing to maintain - you always have a local root anyway.

Setting up the box with a long enough random password. Big letters "In case of Emergency only".

Or, like many have suggested, allow root access with keys only.

This is in the situation where i can't get to the box locally, however I
always provision for local access either in person or via a third party
to any system I maintain, so I have never had to deal with this. Local
access is a must in order to retain reliable uptime in my opinion.

Local tty access may be a 3 hour drive to the datacenter. Hands on help from many datacenters gives you reboots only (depending who's shift it is).

Multi-admin to me, means multi-access level, fine control and not giving
any one more access than they require. I can see your point, but the
technology provisions for it.

Of course, many layers, minimal access.

<shrug> It's a preference thing really. I don't see that allowing remote root ssh access gives much away provided the password owners and the password are trusted.

(excellent domain/company name BTW)

Thanks. We spent ages trying to come up with something snappy, etc., and I think we'd just seen one to many things on the 'net that brought about the reaction of "That's amazing!". Like the guy with the computer comtrolled christmas lights that you can control from his website... and the Big Red Button. Heh.

Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]