Friday Reminder: Web Site Security

Valdis Kl=?utf-8?Q?=c4=93?=tnieks valdis.kletnieks at
Fri May 15 23:24:51 UTC 2020

On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said:
> This is your helpful Friday reminder to always pay close attention to
> the security settings of all of the web sites under your administration.
> Otherwise, anonymous skript kiddiez could show up at any moment and
> deface one or more of your web sites.  (It happens a lot.)

Just this week, I have seen an (unconfirmed) report that there is an organized
effort that's abusing SSH keys that lack passphrases - if they pwn a system and
find one, they go surfing it as far as they can.

And yes, I know that automated systems can't use passphrases.. so remember to
check to see if you can use 'force-command=' in the known hosts file so that the
key can only issue one command.  (yes, this means that if the automation host has
to do a dozen different things, it needs a dozen keypairs.  Security is always tradeoffs.)

'ssh-keygen -H' also helps control things.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list