On Wed, 23 Dec 2020 12:21:09 -0500 Daniel Barrett <[email protected]> wrote:
> This may be obvious, but... setting "PasswordAuthentication no" is > also a good idea to protect against ALL password-based logins -- > root's or otherwise. If sshd permits only (say) PubkeyAuthentication, > then attackers can't log in unless they have stolen the necessary > private key and decrypted its (hopefully very strong) passphrase. This. Because it is trivially easy to find login names to feed brute force attacks for examples "dbarrett" at blazemonger.com machines and "worley" at ariadne.com. Using fail2ban to stop brute force attacks is still a good idea, just in case of unpublished vulnerabilites that might permit key auth bypass or you have services which are not easily protected with key auth. -- Rich Pieri _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
