Friday Reminder: Web Site Security
valdis.kletnieks at vt.edu
Fri May 15 23:24:51 UTC 2020
On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said:
> This is your helpful Friday reminder to always pay close attention to
> the security settings of all of the web sites under your administration.
> Otherwise, anonymous skript kiddiez could show up at any moment and
> deface one or more of your web sites. (It happens a lot.)
Just this week, I have seen an (unconfirmed) report that there is an organized
effort that's abusing SSH keys that lack passphrases - if they pwn a system and
find one, they go surfing it as far as they can.
And yes, I know that automated systems can't use passphrases.. so remember to
check to see if you can use 'force-command=' in the known hosts file so that the
key can only issue one command. (yes, this means that if the automation host has
to do a dozen different things, it needs a dozen keypairs. Security is always tradeoffs.)
'ssh-keygen -H' also helps control things.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 832 bytes
Desc: not available
More information about the NANOG