Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras: > Stroller wrote: > > I install sudo, give my user wide sudo rights and then set > > "PermitRootLogin no" in /etc/ssh/sshd_config. > > (Critique of this measure welcomed). > > Since Hung already answered about the other problem, I'll just comment > on this. > > It's a bad idea if the machine is open to the Internet, especially since > it's easy to simply "su -" or "sudo" as a normal user.
Sorry, but I consider that to be BS advice (at least concerning that you want to leave password-authentication open). I'd always recommend disabling root login for ssh (as soon as that is possible, i.e. you have an unpriviledged account who is in group wheel who you can use to access the machine in question), because root is a "well-known" user (and thus lends itself well to a [possibly distributed] ssh brute force). When someone wants to "hack" your machine, he's always going to try known usernames before going on to guess what "additional" (unpriviledged) usernames might have been set up on your system. And, even when he gets access to one of your user accounts (who happen to be in group wheel), he still has to guess the root password (when doing su -) to be able to become root, and hopefully this buys you the time to see in your logs that someone tried local "su" with invalid passwords, which should always be a high priority alert. YMMV, but I've felt pretty safe (safer than leaving root open for password- authentication) like this so far. -- Heiko Wundram Gehrkens.IT GmbH FON 0511-59027953 | http://www.gehrkens.it FAX 0511-59027957 | http://www.xencon.net Gehrkens.IT GmbH Strasse der Nationen 5 30539 Hannover Registergericht: Amtsgericht Hannover, HRB 200551 Geschäftsführer: Harald Gehrkens, Daniel Netzer
signature.asc
Description: This is a digitally signed message part.
