Re: [Bastille-linux-discuss] TCP Wrappers weakened stance?

[Lee E. B. <le...@br...>]

On Wed, 2004-10-27 at 21:11, Jay Beale wrote:
>    0) keep the default-deny stance in TCP wrappers
>    1) set a default-allow stance on localhost
>    2) automatically allow ssh access from any networks the hardened host 
> has a network interface on.
> 
> Number 2 is obviously the tough one here, but I think it's a decent 
> compromise.  What do you all think?
> 
>   - Jay

This is a reasonable approach. Some quick thoughts:

Make sure the default settings percolate through to the firewall setup,
too.  There's not much help in opening SSH for wrappers and closing it
on the TCP/IP stack. ;-)

There is currently a widespread SSH password brute-force attack program
in the wild. If you have a strong password, it's not much of a threat,
however passwords in general are insecure as a sole means of
authentication and access control. I strongly suggest that the default
settings for sshd_config include the following:

PermitRootLogin No
RSAAuthentication Yes
PubkeyAuthentication Yes
PasswordAuthentication No

It's been a while since I looked, so maybe Bastille is doing this
already. Unfortunately, this could result in more e-mail support telling
hapless users that they have to "sneaker-net" their public key to the
authorized_keys[2] file(s) in order to gain access to the remote hosts.
That's a small price to pay, IMNSHO.

At NASA, we've had such a problem with password cracking and password
theft that we are in the process of issuing smartcards to all employees
and requiring their use for two-factor authentication for all IT assets.
It's a huge paradigm shift that I'm sure will be difficult for the
legitimate users at first, but worth it in the end.

-- 
-- Lee E. Brotzman, CISSP
-- NASA Incident Response Center
-- SP Systems, Inc.