>>>>> "Matthew" == Matthew S Hallacy <poptix at poptix.net> writes:

    Matthew> On Tue, Dec 07, 2004 at 02:19:19PM -0600, rpgoldman at real-time.com wrote:
    >> 
    >> I'm no expert on PuTTy use, so I'm shutting up about that.  But,
    >> absolutely AS SOON AS POSSIBLE, shut off remote root access through
    >> SSH!  Once you've got a user account working, you'll be able to log in
    >> as a user and su to root for anything rootish you need to do.
    >> 
    >> If you don't do this, the next time there's an sshd hole, your machine
    >> will be toast....

    Matthew> What kind of crack are you smoking? There is no good
    Matthew> reason to turn off remote root logins, beyond an extra
    Matthew> password to type. If they snarfed *YOUR* password from
    Matthew> somewhere they can probably snarf your root password as
    Matthew> well when you su -.  A lot of people who turn off remote
    Matthew> root also setup sudo so they don't have to type the root
    Matthew> password, making it moot to begin with.

Well, if I'm smoking crack, I'm not the only one.  From "Securing and
Optimizing Linux: RedHat Edition -A Hands on Guide":


 PermitRootLogin no

    The option PermitRootLogin specifies whether root can log in using
    ssh. Never say yes to this option. 


    Matthew> A bug in ssh isn't going to magicly say 'oh, but they
    Matthew> have allowrootlogin turned off, i guess i won't be
    Matthew> vulnerable today!'

Huh?  Well here's at least one reason:  all those bots that try
repeatedly to do root login over ssh aren't going to get anywhere...

The internet storm center reports endemic ssh scans out in the wild.
anything I can do to make this harder for them (including a little
crack) is fine with me...

R

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list