Security Incidents mailing list archives
Re: Internet SSH scans
From: Valdis.Kletnieks () vt edu
Date: Thu, 23 Mar 2006 15:07:38 -0500
On Thu, 23 Mar 2006 09:01:08 GMT, Michael.Lang () jackal-net at said:
retrys, ... for my understanding it doesnt make sence to lockout root. there are enought exploits to gain root access anyway.
This is more an "auditing" requirement than providing extra security. If I get called at 3:02AM because backups failed because some chucklehead made a typo in a config file, which do I want to see in the logs? A) Somebody ssh'ed from the terminal server as root and vi'ed /etc/back.config B) Joe ssh'ed in from the terminal server, and did 'sudo vi /etc/back.config' In the second case, I can call Joe at 3:09AM and ask him what crack he was smoking at 1:15AM.... which is the whole point of the no-root restriction. Remember - the *single* most dangerous thing to the average Cisco router isn't a hacker with a 0-day IOS sploit - it's the "banana eater with enable"(*). The same is true for every other operating system.... (*) "banana eater" - the low level tech staff at a NOC are often referred to as 'NOC monkeys'. 'enable' is the IOS equivalent of a Unixoid 'su'.
Attachment:
_bin
Description:
Current thread:
- Re: Re: RE: Internet SSH scans, (continued)
- Re: Re: RE: Internet SSH scans mrbits (Mar 03)
- RE: Internet SSH scans Adriano Carvalho (Mar 21)
- Re: Internet SSH scans Valdis . Kletnieks (Mar 22)
- Re: Internet SSH scans Adriano Carvalho (Mar 22)
- RE: Internet SSH scans Adriano Carvalho (Mar 21)
- Re: Re: RE: Internet SSH scans mrbits (Mar 03)
- RE: Internet SSH scans William Tarkington (Mar 03)
- Re: Internet SSH scans ilaiy (Mar 03)
- Re: Internet SSH scans Stephen J. Smoogen (Mar 03)
- RE: RE: Internet SSH scans Teodorski, Chris (Mar 03)
- Re: Re: Internet SSH scans notonyour (Mar 04)
- Re: RE: Internet SSH scans Michael . Lang (Mar 23)
- Re: Internet SSH scans Valdis . Kletnieks (Mar 23)