Avoid Brute Force: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „=SSH:= *Don't allow root to login *Don't allow ssh passwords (use private key authentication) *Don't listen on every interface Create a network interface fo…“) |
(→SSH:) |
||
| Zeile 6: | Zeile 6: | ||
*Don't listen on every interface | *Don't listen on every interface | ||
| − | Create a network interface for SSH | + | |
| + | *Create a network interface for SSH, which is different to the interface you serve requests. | ||
*Don't use common usernames | *Don't use common usernames | ||
Version vom 13. November 2018, 20:26 Uhr
SSH:
- Don't allow root to login
- Don't allow ssh passwords (use private key authentication)
- Don't listen on every interface
- Create a network interface for SSH, which is different to the interface you serve requests.
- Don't use common usernames
- Use an allow list, and only allow users that require SSH Access
- If you require Internet Access...Restrict Access to a finite set of IPs.
- If possible find a way to connect without Internet Access.
- Use software like fail2ban to catch any brute force attacks
- Make sure OS is always up to date, in particular security and ssh packages
Application:
- Make sure your application is always up to date, in particular security packages
- Lock down your application 'admin' pages. Many of the advice above applies to the admin area of your application too.
- Password Protect your admin area
- Lock down file permissions. 'Upload folders' are notorious for being entry points of all sorts of nasty stuff.
- Consider putting your application behind a private network, and only exposing your front-end load balancer and a jumpbox (this is a typical setup in AWS using VPCs)