Re: significant incoming SSH volume

[Scott Beardsley <scott () CSE UCDAVIS EDU>]

> While we are confident in the strength of our passwords, =
> as you know with enough effort.......

I didn't see anyone else mention this but it might be a good time to
turn *off* password-based remote access. We have been requiring ssh
public key based access to our research resources for a year or two.
Evil haxors can try all they want to brute force us and they are mostly
just wasting their time. Here is our usual setup:

# rhosts? what are we using rlogin?
RhostsRSAAuthentication no
# passwords are sooooo 90's
PasswordAuthentication no
# use a centrally maintained ssh_know_hosts or dnssec SSHFP records
IgnoreUserKnownHosts yes
# meh host-based is OK for clusters though
HostbasedAuthentication no
IgnoreRhosts yes
# OK now we're getting somewhere:
PubkeyAuthentication yes
# force all access through a centrally maintained list of keys.
AuthorizedKeysFile      /etc/ssh/users/%u.pub

Note: a user must go through the administrator to change their public
key. We typically store one pub key per user and check the keys against
a list of "known bad" keys (including the debian blacklisted keys).
Although we can't enforce it we stress the importance of having a strong
passphrase protecting their private key and train folks on how to
protect their private key (ie only install it on trusted machines, don't
send it over email, etc).

Good luck..
Scott