Friday Reminder: Web Site Security

• Previous message (by thread): Friday Reminder: Web Site Security
• Next message (by thread): Friday Reminder: Web Site Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said:
> This is your helpful Friday reminder to always pay close attention to
> the security settings of all of the web sites under your administration.
> Otherwise, anonymous skript kiddiez could show up at any moment and
> deface one or more of your web sites.  (It happens a lot.)

Just this week, I have seen an (unconfirmed) report that there is an organized
effort that's abusing SSH keys that lack passphrases - if they pwn a system and
find one, they go surfing it as far as they can.

And yes, I know that automated systems can't use passphrases.. so remember to
check to see if you can use 'force-command=' in the known hosts file so that the
key can only issue one command.  (yes, this means that if the automation host has
to do a dozen different things, it needs a dozen keypairs.  Security is always tradeoffs.)

'ssh-keygen -H' also helps control things.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200515/faf4558e/attachment.sig>

• Previous message (by thread): Friday Reminder: Web Site Security
• Next message (by thread): Friday Reminder: Web Site Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]