On Sun, 29 Jul 2012, Brian wrote: > used. But if it can be demonstrated that a twenty character password can > be forced in a time-frame which makes sense I'll stop doing it and most
That depends. Are you using any dictionary words or easy character permutations thereof to make a pass-phrase? If so, your 20-char password is a lot weaker than what one might expect at first glance. > And this is without enlisting any further help from rate-limiting with > iptables, denyhosts, port knocking etc, all of which reduce worry but do > not increase security. Hmm, they do increase security against on-line brute-force attacks, although it is a marginal increase. And they're not part of the default, therefore uninteresting: you can already tighten ssh up properly if you're not going to go with the defaults. > not because there are brute-force attempts on the account being made. If > keys or a strong password are employed the root account is no more > susceptible to be broken into than any other account. Too many "ifs" when dealing with a default configuration. As far as I'm concerned, Debian should ship with root logins disabled, denying logins to anyone not in the users group, x11 and agent forwarding disabled, and only RSA-based and GSSAPI/kerberos auth enabled. But this IS a very beaten old horse, and I am not going to bother with it. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120730012708.ga10...@khazad-dum.debian.net
