Linux on 390 Port <[email protected]> írta 2005.07.21 04:19:22 időpontban:
> On one of my systems, I have > 1. Turned off all password authentication > 2. Written firewall rules to limit connexions to specific IP address > ranges that have me covered. This reduces the number of attempts > considerable. > > One of our systems was penetrated by a sloppy user-chosen password, Snce > then, I have > 1. Changed the firewall rules so that incoming SSH lands on my desktop > and not the server. > 2. Changed the rules so _I_ choose passwords. _I_ use a password > generator which produces gems such as et3tUfGd (now defunct). There is > still mail to protect. For usewr-chosen passwords I suggest two (or > more) unrelated words such as cowblue. I figure those won't be in > peoples' attack dictionary. > My users needs to have linux account to use samba, mail etc., but no ssh (or sftp) from outside. So I simply made firewall rules to let ssh in only from specific hosts..., but I think it's not a good idea to force users to use generated passwords (for eg. political reasons), and I also do not recommend to use a desktop computer for incoming ssh connecitons, the service will depend from a single PC. I think I would use PAM's features to force users to have heavy passwords. István ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
