Bringing back tcp wrappers

Lucas Holt luke at foolishgames.com
Thu Jun 24 03:02:30 AEST 2021



> On Jun 23, 2021, at 12:19 PM, Brian Candler <b.candler at pobox.com> wrote:
> 
> On 23/06/2021 17:03, Saint Michael wrote:
>> I got hacked in 72 servers this week, they installed Bitcoin miners.
> 
> Are you saying this happened through opensshd?
> 
> What specifically was the cause: do you allow password authentication for example?
> 
> You can control this by IP address with "Match" clauses in sshd_config.  For example:
> 
> PasswordAuthentication no
> 
> Match Address 10.0.0.0/8,fc00::/7
> PasswordAuthentication yes
> 
> This will allow passwords only from the 10.0.0.0/8 and fc00::/7 networks, forcing connections from the Internet to use a proper authentication mechanism (e.g. keys)
> 
> 


Another option would be to setup 2FA through a third party service with OpenSSH.  I’ve got duo setup for OpenSSH connections on critical MidnightBSD systems for this reason.  




Lucas Holt
Luke at FoolishGames.com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)






More information about the openssh-unix-dev mailing list