On Wed, Dec 08, 2004 at 09:13:03AM -0600, rpgoldman at real-time.com wrote: > > Well, if I'm smoking crack, I'm not the only one. From "Securing and > Optimizing Linux: RedHat Edition -A Hands on Guide": > > > PermitRootLogin no > > The option PermitRootLogin specifies whether root can log in using > ssh. Never say yes to this option. > People are retarded, See below. > > Matthew> A bug in ssh isn't going to magicly say 'oh, but they > Matthew> have allowrootlogin turned off, i guess i won't be > Matthew> vulnerable today!' > > Huh? Well here's at least one reason: all those bots that try > repeatedly to do root login over ssh aren't going to get anywhere... > > The internet storm center reports endemic ssh scans out in the wild. > anything I can do to make this harder for them (including a little > crack) is fine with me... They're using dictionary attacks, if you're stupid enough to use a dictionary password (you know, when passwd says THIS IS A BAD PASSWORD) then you deserve to be rooted, exploited, shot in the head, etc. Those same ssh scanners are also trying 'test' 'guest' 'toor' and a few other common account names Relying on the obscurity of your usernames is not sufficient, stop picking weak passwords, filter access from hosts that aren't supposed to be loggin in, use RSA/DSA keys, and it's a non-issue. (I think I mentioned this in a previous email) > > R -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list