Bringing back tcp wrappers
Lucas Holt
luke at foolishgames.com
Thu Jun 24 03:02:30 AEST 2021
> On Jun 23, 2021, at 12:19 PM, Brian Candler <b.candler at pobox.com> wrote:
>
> On 23/06/2021 17:03, Saint Michael wrote:
>> I got hacked in 72 servers this week, they installed Bitcoin miners.
>
> Are you saying this happened through opensshd?
>
> What specifically was the cause: do you allow password authentication for example?
>
> You can control this by IP address with "Match" clauses in sshd_config. For example:
>
> PasswordAuthentication no
>
> Match Address 10.0.0.0/8,fc00::/7
> PasswordAuthentication yes
>
> This will allow passwords only from the 10.0.0.0/8 and fc00::/7 networks, forcing connections from the Internet to use a proper authentication mechanism (e.g. keys)
>
>
Another option would be to setup 2FA through a third party service with OpenSSH. I’ve got duo setup for OpenSSH connections on critical MidnightBSD systems for this reason.
Lucas Holt
Luke at FoolishGames.com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)
More information about the openssh-unix-dev
mailing list