On Wed, 2016-05-11 at 10:07 -0500, Bruno Wolff III wrote:
> On Tue, May 10, 2016 at 01:30:48 -0700,
>   Joe Zeff <j...@zeff.us> wrote:
> > 
> > 
> > Excellent advice.  Linux never tells you if the username you're
> > trying 
> > to log in with is right, just that the combination of username and 
> > password was wrong.  The only username that a potential cracker
> > knows 
> > exists is root, so if you allow remote log in as root, most of a 
> > cracker's job is already done.  All they need to know is find the
> > root 
> That is incorrect unless you are using very low entropy passwords.
> The 
> difficulty of guessing a username should be much lower than that of 
> guessing a password, so knowing a valid username should be almost no 
> help to an attacker.
> 
> Also, because the kernel seems to have lots of local privilege
> elevation 
> bugs, counting on being protected from total compromise if a normal
> user 
> account is compromised is not a good idea.

Virtually every security measure is a partial solution. There are no
magic bullets. However just because a given measure is weak on its own
doesn't mean it isn't useful in combination with others. Using a non-
root user for remote login means that the vast majority of drive-by
attackers will give up and move on. A targeted attack is of course
another matter.

poc
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
http://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Reply via email to