>>>>> "Matthew" == Matthew S Hallacy <poptix at poptix.net> writes:

    Matthew> On Wed, Dec 08, 2004 at 09:13:03AM -0600, rpgoldman at real-time.com wrote:
    >> 
    >> Well, if I'm smoking crack, I'm not the only one.  From "Securing and
    >> Optimizing Linux: RedHat Edition -A Hands on Guide":
    >> 
    >> 
    >> PermitRootLogin no
    >> 
    >> The option PermitRootLogin specifies whether root can log in using
    >> ssh. Never say yes to this option. 
    >> 

    Matthew> People are retarded, See below.

    >> 
    Matthew> A bug in ssh isn't going to magicly say 'oh, but they
    Matthew> have allowrootlogin turned off, i guess i won't be
    Matthew> vulnerable today!'
    >> 
    >> Huh?  Well here's at least one reason:  all those bots that try
    >> repeatedly to do root login over ssh aren't going to get anywhere...
    >> 
    >> The internet storm center reports endemic ssh scans out in the wild.
    >> anything I can do to make this harder for them (including a little
    >> crack) is fine with me...

    Matthew> They're using dictionary attacks, if you're stupid enough
    Matthew> to use a dictionary password (you know, when passwd says
    Matthew> THIS IS A BAD PASSWORD) then you deserve to be rooted,
    Matthew> exploited, shot in the head, etc. Those same ssh scanners
    Matthew> are also trying 'test' 'guest' 'toor' and a few other
    Matthew> common account names

    Matthew> Relying on the obscurity of your usernames is not
    Matthew> sufficient, stop picking weak passwords, filter access
    Matthew> from hosts that aren't supposed to be loggin in, use
    Matthew> RSA/DSA keys, and it's a non-issue. (I think I mentioned
    Matthew> this in a previous email)

Your perception of the tradeoff here seems way off mine.  My
perception of this precaution:

1.  Payoff:  somewhat limited, but non-zero

    a.  if you get access as a user, you don't automatically get root.
    b.  stupid bots targeting only root get absolutely nowhere.

2.  Cost:  absolutely zero for me (Mandrake ships with enableRootLogin
    = no), possibly 1 second's work for someone who has a stock sshd
    coming out of openBSD, where it defaults to "yes".

Net sum => positive.

Honestly, I can't understand why this arouses this response in you.
Not only do you claim it's not worth doing, you seem to be actively
ENRAGED by this.  Take a chill pill, dude.  Or go worry about
unpatched Windows boxes, or something that's reasonably significant.


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list