On Feb 9, 2009, at 8:15 AM, Nikos Chantziaras <rea...@arcor.de> wrote:
Heiko Wundram wrote:
Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras:
Stroller wrote:
I install sudo, give my user wide sudo rights and then set
"PermitRootLogin no" in /etc/ssh/sshd_config.
(Critique of this measure welcomed).
Since Hung already answered about the other problem, I'll just
comment
on this.
It's a bad idea if the machine is open to the Internet, especially
since
it's easy to simply "su -" or "sudo" as a normal user.
Sorry, but I consider that to be BS advice (at least concerning
that you want to leave password-authentication open).
I'd always recommend disabling root login for ssh (as soon as that
is possible, i.e. you have an unpriviledged account who is in group
wheel who you can use to access the machine in question), because
root is a "well-known" user (and thus lends itself well to a
[possibly distributed] ssh brute force).
Er, didn't I actually say the same? If other people have network
access to the machine, disable root. You misunderstood something.
I'd just as soon leave the root account able to be logged in over SSH
and remove password authentication in preference of a 2048-bit RSA
key. Just use a script to add failed logins to a deny list.
