From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/1567 Path: news.gmane.org!not-for-mail From: Vincent Danen Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: runit-1.8.0 available Date: Mon, 22 Oct 2007 16:17:17 -0600 Message-ID: <20071022221717.GY13517@linsec.ca> References: <20070922143724.GA1419@home.power> <20070924101904.17022.qmail@42aab7ded663c3.315fe32.mid.smarden.org> <20070926134623.GR21637@home.power> <20070929130351.GC18527@home.power> <20071006054923.GA1665@home.power> <20071013212754.GL1383@home.power> <20071016033818.GE18461@run.duo> <20071020195950.GB25023@home.power> <20071020221125.GC11413@run.duo> <20071020222050.GD25023@home.power> Reply-To: Vincent Danen NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary=zvmqw4jX2vbPsMQB X-Trace: ger.gmane.org 1193243643 15425 80.91.229.12 (24 Oct 2007 16:34:03 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 24 Oct 2007 16:34:03 +0000 (UTC) To: supervision@list.skarnet.org Original-X-From: supervision-return-1802-gcsg-supervision=m.gmane.org@list.skarnet.org Wed Oct 24 18:34:02 2007 Return-path: Envelope-to: gcsg-supervision@gmane.org Original-Received: from antah.skarnet.org ([212.85.147.14]) by lo.gmane.org with smtp (Exim 4.50) id 1IkjB2-0007M0-4g for gcsg-supervision@gmane.org; Wed, 24 Oct 2007 18:33:52 +0200 Original-Received: (qmail 4161 invoked by uid 76); 24 Oct 2007 16:34:04 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Original-Received: (qmail 5211 invoked from network); 22 Oct 2007 22:19:03 -0000 X-URL: http://linsec.ca/ In-reply-to: <20071020222050.GD25023@home.power> Content-disposition: inline X-PGP-Key: http://linsec.ca/vdanen.asc X-PGP-Key-ID: 0xFEE30AD4 X-PGP-Key-Fingerprint: 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4 X-Delivery-Agent: TMDA/1.1.10 (Killyloch) X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: vdanen+dated+1193955452.4d2b0f@annvix.org X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on hades.annvix.ca X-SA-Exim-Version: 4.2.1 (built Fri, 02 Feb 2007 19:02:33 -0700) X-SA-Exim-Scanned: Yes (on hades.annvix.org) User-Agent: Mutt/1.5.16 (2007-06-09) X-Spam-Status: No, score=-2.5 required=6.0 tests=BAYES_00,FORGED_RCVD_HELO autolearn=ham version=3.1.9 X-Spam-Level: Xref: news.gmane.org gmane.comp.sysutils.supervision.general:1567 Archived-At: --zvmqw4jX2vbPsMQB Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Alex Efros [2007-10-21 01:20:51 +0300]: >Hi! > >On Sat, Oct 20, 2007 at 06:11:26PM -0400, George Georgalis wrote: >> it sounds like a signal is not reaching init, SIGPIPE? > >PIPE? You mean CHLD? > >> The following sed to default sshd_config >> s/.*PasswordAuthentication.*/PasswordAuthentication no/ >> s/.*UsePam.*/UsePam no/ >> will really cut back the impact of bad internet on public sshd port, >> of course you will only be able to use keys (PKI/RSA) to connect. > >Yeah, this is my default ssh configuration. :) But ssh worms anyway try to >connect (they doesn't know is senseless :)) and so ssh fork new processes >for these connections and these processes become unreaped zombies at some >point. The simplest thing to do would be to either use tcp_wrappers or run sshd out of xinetd or (my favourite) ipsvd. With some appropriate ACLs and IP-based restrictions, you can reduce those attacks to *0* reaching sshd as xinetd/ipsvd would deny them before even starting sshd. --=20 Vincent Danen @ http://linsec.ca/ --zvmqw4jX2vbPsMQB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFHHSFtLrxeMv7jCtQRAhPqAKCNN+0EfQ5+n5VgVx0olWKNrEDK/QCfaz2i tUtmrczC3XF7VNuxAyEru/0= =IDlN -----END PGP SIGNATURE----- --zvmqw4jX2vbPsMQB--