[RDD] security breach

Kevin Miller atftb2 at alaska.net
Sun Nov 25 18:32:02 EST 2012


On 11/25/2012 10:51 AM, James Harrison wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Best approach is not to use passwords - SSH keys are simple to set up
> and you can disable password authentication in sshd, which makes your
> system practically uncrackable.

Took the words right out of my mouth.  The other thing I like to do is 
disable ssh 1 and ssh to root.  If you need root access from afar, ssh 
to a non-privileged account then "su -" to gain root.

> Fail2ban is also an excellent program to run - it will automatically
> block in iptables anything that fails to login more than a few times,
> which stops most automated bots.

As a further step, you could set up an openVPN server and not expose 
your rivendell box to inbound internet traffic at all.  You create a 
tunnel to the openVPN server then you're 'local' and can ssh to the rd 
host.  Linux Journal had a great three part write-up on this a few years 
back in the Paranoid Penguin column.  (The ssh/openVPN part, not the 
rivendell part.)  Best of luck with the cleanup...

...Kevin
-- 
Kevin Miller - http://www.alaska.net/~atftb
Juneau, Alaska
In a recent survey, 7 out of 10 hard drives preferred Linux
Registered Linux User No: 307357, http://linuxcounter.net


More information about the Rivendell-dev mailing list