[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Friday Reminder: Web Site Security

Subject: Friday Reminder: Web Site Security
From: valdis.kletnieks at vt.edu (Valdis Klētnieks)
Date: Fri, 15 May 2020 19:24:51 -0400
In-reply-to: <[email protected]>
References: <[email protected]>

On Fri, 15 May 2020 12:15:13 -0700, "Ronald F. Guilmette" said:
> This is your helpful Friday reminder to always pay close attention to
> the security settings of all of the web sites under your administration.
> Otherwise, anonymous skript kiddiez could show up at any moment and
> deface one or more of your web sites.  (It happens a lot.)

Just this week, I have seen an (unconfirmed) report that there is an organized
effort that's abusing SSH keys that lack passphrases - if they pwn a system and
find one, they go surfing it as far as they can.

And yes, I know that automated systems can't use passphrases.. so remember to
check to see if you can use 'force-command=' in the known hosts file so that the
key can only issue one command.  (yes, this means that if the automation host has
to do a dozen different things, it needs a dozen keypairs.  Security is always tradeoffs.)

'ssh-keygen -H' also helps control things.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200515/faf4558e/attachment.sig>

Follow-Ups:
- Friday Reminder: Web Site Security
  - From: bill at herrin.us (William Herrin)
- Friday Reminder: Web Site Security
  - From: mpalmer at hezmatt.org (Matt Palmer)

References:
- Friday Reminder: Web Site Security
  - From: rfg at tristatelogic.com (Ronald F. Guilmette)

Prev by Date: Don't forget RFG (was: Re: RIPE NCC Executive Board election)
Next by Date: Switch for SFP+
Previous by thread: Friday Reminder: Web Site Security
Next by thread: Friday Reminder: Web Site Security
Index(es):
- Date
- Thread