[asterisk-users] aSTERISK / Vicidial systems over 4MB fiber

Lee Howard faxguy at howardsilvan.com
Thu Jun 12 10:16:18 CDT 2008


Jay R. Ashworth wrote:
> On Thu, Jun 12, 2008 at 08:02:24AM -0500, Tilghman Lesher wrote:
>   
>> One of the most frequent security issues comes not in the form of a
>> software flaw, but simply in people choosing easy-to-guess passwords
>> on the root account. There are two suggestions I have to reduce the
>> risk of this brute force. First, choose a username that is uncommon.
>> In your case, do not use 'root', 'admin', or even 'mark'. 'madams'
>> might be a good choice. Once you figure out that username, configure
>> sshd with the AllowUsers directive to ONLY allow logins from that
>> user.
>>     
>
> Your phrasing, here, Tilghman, suggests that you mean that the
> administrative account should be renamed from root to madams, and I'm
> fairly sure you don't actually mean that.  
>
> You actually mean "create a regular user, and lock the machine down so
> that's the only thing that can be used to log into it, at which point,
> when and 
>
>   
>>                                    If you need root access, install
>> sudo. If an attacker cannot figure out what your username is, then it
>> doesn't matter even if they guess your password, because they aren't
>> getting in.
>>     
>
> ...you can use sudo to get it.

Never, ever, ever, expose sshd to the public internet without 
firewalling.  Only let trusted IPs reach sshd.  The risk of brute force 
success, however small, is still far too great.  Again, do not expose 
sshd to the general public.

And for that matter... it's generally unwise to expose any service to 
the general public when the general public has no business using that 
service.

A little bit of time learning some iptables basics will go a long way here.

Thanks,

Lee.



More information about the asterisk-users mailing list