On Sun 29 Jul 2012 at 15:00:04 -0300, Henrique de Moraes Holschuh wrote: > Well, it is the one account that will accept remote logins (in Debian) that > exists everywhere.
True. But the security of an account doesn't depend on whether the username is known or unknown. If it does, you have problems. However, seeing attempts to login with admin, user, bob, cora, crystal, opened, etc, etc (just a selection from today's auth.log) is amusing. Yes, root is there too - but I am still unperturbed. > It is indeed an insecure default, mostly because by > default we also allow password-based logins. I am not going to argue that password-based logins are better than key-based logins, or vice-versa. Site policy will determine which is used. But if it can be demonstrated that a twenty character password can be forced in a time-frame which makes sense I'll stop doing it and most likely be grateful for the hole in my reasoning being exposed. > Check your logs, and verify the frequency of brute-force attempts per > username. I stopped doing this a year or two back when it got up to a couple of million a year. Frightening, eh? Not if you realise the idiocy of the attempts and the futility involved. Even the the ones which were purposefully targetted and which had an actual username had no chance of succeeding. What do they do? Guess at ten characters and work up? 10, 11, 12. etc. Time and statistics are on my side. And this is without enlisting any further help from rate-limiting with iptables, denyhosts, port knocking etc, all of which reduce worry but do not increase security. So what price "PermitRootLogin no"? I'd go for for it, but only because I want accesses to a root account to be accountable and trackable and not because there are brute-force attempts on the account being made. If keys or a strong password are employed the root account is no more susceptible to be broken into than any other account. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120729193204.GU6660@desktop
