de-peering for security sake

Mike Hammett nanog at ics-il.net
Sat Dec 26 22:42:53 UTC 2015


Different network types will have different abilities to enforce this. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


----- Original Message -----

From: "Jared Mauch" <jared at puck.nether.net> 
To: "Joe Abley" <jabley at hopcount.ca> 
Cc: nanog at nanog.org 
Sent: Saturday, December 26, 2015 3:21:03 PM 
Subject: Re: de-peering for security sake 


> On Dec 26, 2015, at 11:14 AM, Joe Abley <jabley at hopcount.ca> wrote: 
> 
> With respect to ssh scans in particular -- disable all forms of 
> password authentication and insist upon public key authentication 
> instead. If the password scan log lines still upset you, stop logging 
> them. 

Or if you can’t get users to use keys (aside from remove the users) consider things like: 

example /etc/ssh/sshd_config 
Match User root 
PasswordAuthentication no 

for users that should not be permitted to fall-back to password authentication. 

- Jared 






More information about the NANOG mailing list