Re: [bitfolk] The perils of opening tcp/22 to the Internet

Andy Smith wrote:
> Do you think there's any pro-active measures that would be
> acceptable to VPS customers? Typical ways to foil SSH dictionary
> attacks:
>
> 1) Only use strong passwords.
>
> 2) Don't use passwords at all, only keys.
>
> 3) Disable root login.
>
> 4) Restrict the list of usernames that are valid, in combination
> with (1) and (3).
>
> 5) Install DenyHosts or Fail2Ban.
>
> 6) Move sshd to another port.
>
> More?

Well, I understand your problem. I only really like options 2, 3 and 5
(I like 1 but 2 is better)

Fundamentally if you really want to admin a server part of the deal is
about being a good neighbor. I understand you don't want to scare
customers away and education is really, really difficult.

Maybe there are some customers who don't really need admin access to a
box, or rather, do need admin access to do what they require but don't
have enough knowledge to do it safely.

I have been thinking about this for a while and see a couple of
alternatives in addition to promoting 1, 2, 3 and 5 above.

- Allow password or key based provisioning but have some form of
incremental tightening of security on boxes that have been compromised
as part of the TOS.

- Provide a financial incentive for the customer to request key-based
provisioning and points 1, 2, 3, and 5 above. Think of it like
insurance, your premiums are higher if you are more of a risk.

- Offer sysadmin services for customers who require fine control over a
machine but do not have the requisite knowledge to administer the machine.

n

NB: Yes, I had my machine provisioned via password but the first thing I
did was lock it down with 2 and 3 above.