To quickly add my $0.02:
I use "PermitRootLogin without-password" and use SSH keys for root, this
allows only a connection with that specific SSH key to connect, I believe this
is a fairly secure way to handle a root login situation.
- Eric
>>Continuing in the same vein: double check that the OpenSSH sshd_config has
>>PermitRootLogin set to no. If set to yes, this allows anyone to attempt to
>>login directly as root. Although I am not a security expert by any means, I
>>recall reading that this is not a good idea... Instead, you can login as
>>admin and then su to get root access.
>>
>
> ...unless your box is cracked/0wn3d/compromised/whatever-you-want-to-call-it. It is
>all a matter of opinion.
>
> I remember Zeffie mentioning that the only way to succesfully 'restore' a box after
>it had been compromised and `su` had been tampered with was to log in as root
>directly. And I do recall Zeffie being a very decent, security conscious contributor
>to this list.
>
> It is therefore not all bad. Just remember to give the root account a *very* strong
>password and to change it pretty regularly. My personal favourite password is a
>generated password, hard to remember even by me.
>
> Mind you, I do not allow direct root logins (so I tend to agree with you). Mind you,
>again, that I have physical access to my machines. If you're colocating a few
>thousand miles away, make sure your ISP is a pretty decent one. "You get what you pay
>for" has been said many times before on these lists... and it's true. Don't save a
>few bucks if you really needn't.
>
> Have a great one... Nico
> _______________________________________________
> cobalt-security mailing list
> [EMAIL PROTECTED]
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
>
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
