Security/Hacked System - Now what?!!
Wolfgang S. Rupprecht
wolfgang.rupprecht at gmail.com
Sun Dec 22 13:31:12 UTC 2013
bruce <badouglas at gmail.com> writes:
> And regarding the ssh/remote access, you specify public/private keys,
> and you have the key process run from the key file. This allows a user
> to be able to ssh into the box without having to use the ssh passwd,
> but only from the corresponding box that has the associated public
> (master/client) passwd/key setup to permit the login access.
You should set up the RSA or ECDHE private keys with a password.
ssh-keygen prompts you for a password when it cranks out the key for
> But in this situation, if a user hacks into the 1st system, then they
> have access to the 2nd system, assuming they know the 2nd system's
> username. This would happen as the private/public key access file has
> been setup!
Without the decryption password for the RSA or ECDHE keys, they are
On the other hand, you want *all* of your systems up to snuff with
all forms of unix password logins turned off. Seems like you are
implying that some systems are easier to break into than others. That's
# reset the host keys to only rsa or ecdsa
# rekey every hour or default data (1G - 4G depending on cipher)
RekeyLimit default 1h
# We use RSA/ECDSA. If it hasn't completed in 10 seconds, there is a
# big problem.
# Unlike what this looks like, it says that root may not use the unix
# password for authentication. Root *must* use public-key. -wsr
# no unix passwords any more. RSA or ECDSA only.
UsePrivilegeSeparation sandbox # Default for new installations.
# Set the keep-alive for a heartbeat every 60 seconds and a connection
# close after 30 minutes. -wsr 2003/11/26
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
# Cut down on the number of user accounts that can ssh in just in case
# some bug allows .ssh/authorized_keys files to be written.
AllowUsers root user1 user2 usern
# --- end ----
More information about the users