Paul Wouters wrote: > No. If you want to do it properly, disallow all password logins, and only > allow logins with SSH keys. Then it also does not really matter root can > login directly, something that is usually needed for things like offsite > backups.
Of late I've been moving SSH to any port but 22, this limits crud in log files if nothing else, since most/all automated attacks only bother with the standard port. I've also been playing with two factor authentication SSH keys aren't always easy to port/use, but the chance of getting the right password in the time frame is minimal. http://www.freeauth.org has a java midlet for phones and information on setting things up on servers etc, can even centralise authentication across multiple server via radius etc. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Because e164.arpa is a tax on VoIP "In the long run the pessimist may be proved right, but the optimist has a better time on the trip."
