Hello, just a FYI, maybe you havent seent the study:
https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/ ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In the white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the prevention, detection and remediation of such threats PDF: https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf Any creative hints to defend against these kind of threats? Thinking of ex.: a new default option in the PermitRootLogin to only allow someone to log in for the first x times (where x = ex.: 3) with password for root, from that point, root is only allowed to log in with ssh key, until next sshd restart? Maybe that way more people would use key based auth and there would be less credential stealing? Or ex.: if an "rpm -V openssh-server" says that the original binaries were modified, sshd would show a warning before asking for credentials? Or how to ensure to not to run unsigned ELF/binaries/code? In OpenBSD or on Linux.. Or how to ensure that nothing can be installed with the same package name? How about blacklisting some often used passwords? ex.: https://github.com/eset/malware-ioc/tree/master/sshdoor (either used by humans often or by backdoors) When will "passwd" have option to give/generate passwords from 4 random english words from a 65k wordlist? Thanks, just loud thinking.
