[lug] root password
Ken MacFerrin
lists at macferrin.com
Wed Aug 2 16:44:06 MDT 2006
Sean Reifschneider wrote:
> On Wed, Aug 02, 2006 at 12:55:18PM -0600, Evelyn Mitchell wrote:
>> tummy.com uses SSH keys, not passwords for remote and administrative
>> access. One of the most sensitive times for security is during a change
>
> These days, we also recommend that SSH password authentication be disabled,
> because of the number of scans going on looking for weak passwords, and the
> rate of escalation of those scans.
>
I think you can still be pretty darn secure using password
authentication with the right config.
* A few obvious options:
PermitRootLogin no
PermitEmptyPasswords no
* Use a "whitelist" approach and only allow access for necessary users:
AllowUsers user1 user2
* Slow down any automated attacks by limiting the allowed number of
concurrent unauthenticated connections:
MaxStartups 10:30:60
* If possible for your setup, restrict logins to trusted IPs using TCP
Wrappers.
Using these options (and a few ounces of common sense when choosing your
password) it's going to be more probably you'll get rooted from someone
exploiting a bug in another service on your machine than from a brute
force ssh attack..
-Ken
More information about the LUG
mailing list