On Tue, Dec 09, 2008, Chris Boyd wrote:
On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:
Once the cracker finds an account with a guessable password, they may well be able to get access to your system as that user via ssh, webmin, usermin, or other means. Given shell access, the cracker can install user- level IRC servers or gain root access via exploits that only work for local users. I have seen cases where crackers were able to change user shells and other information via usermin or webmin by exploiting vulnerabilities in system utilities thus gaining access to the system.
You can keep compromised accounts from logging in via ssh with the "AllowUsers" option in your /etc/ssh/sshd_config file. Add that option followed by a list of user names that you want to be able to log in, ex:
By the time you know the user has been compromised, it's too late.
We normally don't allow password authentication with ssh, requiring authorized_keys. In the cases where we have to allow password authentication, we severely restrict ssh acces using the /etc/hosts.allow file.
Bill