Am 08.11.2009 um 17:37 schrieb Aleksander Podsiadly:
W dniu 08.11.2009 10:57, Martin Waschbuesch pisze:
About http://wiki.qmailtoaster.com/index.php/User_Tips_%26_Tricks#SSH
It not hardening system. :(
I agree there are ways to do even more (enforcing use of ssh public/
private key pairs among the lot)!
But when compared to a 'stock' toaster, I think it is a good idea to
limit the amount of times a dictionary based attack can come from the
same IP address before that IP is banned, as the stock toaster does
not provide any limitations here.
Someone can use dictionary attack on urdinary user account, then
after logging as user tried to login as super user (sudo, su or by
kernel bug).
I prefer:
#Protocol 2,1
Protocol 2
PasswordAuthentication no
Only version 2 ssh protocol and no way to login by password, I
permit root login. File ~/.ssh/authorized_users determines who
physically can login. In this file are public keys of authorized to
login on this (i.e. root) account. It's more secure. :)
Personally, I prefer to not having to carry my key around with me (on
a USB stick??), but I need to be able to log on from different machines.
But at any rate: I think pure SSH2 /key pair authentication is a great
suggestion, so why not add it to the entry?
Thanks,
Martin
--
"No man, for any considerable period can wear one face to himself and
another to the multitude without finally getting bewildered as to
which may be the true."
Nathaniel Hawthorne
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
