Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good starts... I'd also check that "ChallengeResponseAuthentication no" is set as well as some PAM modules will utilize it and be able to get around passwords being entered as well as "UsePAM no"
I do agree locking the root password isn't advisable. As I use
configuration management/automation to handle my servers I simply set
the root password to generated password that only I know the algorithm
to reproduce it when I need to, but enable sudoers for all other 'root'
access.
I also go further by utilizing Duo Security as a MFA for SSH logins
to my servers for accounts authorized to log in.
On 2/17/2016 10:26 AM, Peter Ludikovsky wrote:
> More or less. What I wouldn't agree with is locking the root account
> completely, because, like Thomas said, you'll be locked out should you
> ever be dropped to a rescue shell due to an hardware error.
>
> Regards,
> /peter
>
> Am 17.02.2016 um 15:56 schrieb Tom Browder:
> > On Wed, Feb 17, 2016 at 8:23 AM, Peter Ludikovsky
> > <pe...@ludikovsky.name> wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> > ...
>
> > Thanks, Peter. Do you agree with Darac's solution?
>
> > Best,
>
> > -Tom
>
>
smime.p7s
Description: S/MIME Cryptographic Signature
