1 |
On Feb 9, 2009, at 8:15 AM, Nikos Chantziaras <realnc@×××××.de> wrote: |
2 |
|
3 |
> Heiko Wundram wrote: |
4 |
>> Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras: |
5 |
>>> Stroller wrote: |
6 |
>>>> I install sudo, give my user wide sudo rights and then set |
7 |
>>>> "PermitRootLogin no" in /etc/ssh/sshd_config. |
8 |
>>>> (Critique of this measure welcomed). |
9 |
>>> Since Hung already answered about the other problem, I'll just |
10 |
>>> comment |
11 |
>>> on this. |
12 |
>>> |
13 |
>>> It's a bad idea if the machine is open to the Internet, especially |
14 |
>>> since |
15 |
>>> it's easy to simply "su -" or "sudo" as a normal user. |
16 |
>> Sorry, but I consider that to be BS advice (at least concerning |
17 |
>> that you want to leave password-authentication open). |
18 |
>> I'd always recommend disabling root login for ssh (as soon as that |
19 |
>> is possible, i.e. you have an unpriviledged account who is in group |
20 |
>> wheel who you can use to access the machine in question), because |
21 |
>> root is a "well-known" user (and thus lends itself well to a |
22 |
>> [possibly distributed] ssh brute force). |
23 |
> |
24 |
> Er, didn't I actually say the same? If other people have network |
25 |
> access to the machine, disable root. You misunderstood something. |
26 |
> |
27 |
I'd just as soon leave the root account able to be logged in over SSH |
28 |
and remove password authentication in preference of a 2048-bit RSA |
29 |
key. Just use a script to add failed logins to a deny list. |