| 1 |
On Feb 9, 2009, at 8:15 AM, Nikos Chantziaras <realnc@×××××.de> wrote: |
| 2 |
|
| 3 |
> Heiko Wundram wrote: |
| 4 |
>> Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras: |
| 5 |
>>> Stroller wrote: |
| 6 |
>>>> I install sudo, give my user wide sudo rights and then set |
| 7 |
>>>> "PermitRootLogin no" in /etc/ssh/sshd_config. |
| 8 |
>>>> (Critique of this measure welcomed). |
| 9 |
>>> Since Hung already answered about the other problem, I'll just |
| 10 |
>>> comment |
| 11 |
>>> on this. |
| 12 |
>>> |
| 13 |
>>> It's a bad idea if the machine is open to the Internet, especially |
| 14 |
>>> since |
| 15 |
>>> it's easy to simply "su -" or "sudo" as a normal user. |
| 16 |
>> Sorry, but I consider that to be BS advice (at least concerning |
| 17 |
>> that you want to leave password-authentication open). |
| 18 |
>> I'd always recommend disabling root login for ssh (as soon as that |
| 19 |
>> is possible, i.e. you have an unpriviledged account who is in group |
| 20 |
>> wheel who you can use to access the machine in question), because |
| 21 |
>> root is a "well-known" user (and thus lends itself well to a |
| 22 |
>> [possibly distributed] ssh brute force). |
| 23 |
> |
| 24 |
> Er, didn't I actually say the same? If other people have network |
| 25 |
> access to the machine, disable root. You misunderstood something. |
| 26 |
> |
| 27 |
I'd just as soon leave the root account able to be logged in over SSH |
| 28 |
and remove password authentication in preference of a 2048-bit RSA |
| 29 |
key. Just use a script to add failed logins to a deny list. |
Archives