On Thu, 9 Dec 2004, John J. Trammell wrote: > On Wed, Dec 08, 2004 at 10:15:23PM -0600, Ken Fuchs wrote: >> "Matthew S. Hallacy" wrote: >> >>> If you really want to secure your system: >>> >>> 1) stop using passwords entirely (use RSA/DSA keys) >>> 2) filter ssh access to only known hosts (where possible) >>> 3) Disable protocol 1 backwards compatibility >>> 4) Disable authentication methods that you do not use, kerberos, rhosts, etc. >>> 5) keep your sshd up to date >> >> You forgot: >> >> 6) Disable remote root login. >> 7) Disable sudo. >> 8) There are more, but I've said enough already. :) > > You forgot: > > 9) unplug network cable > 10) unplug power cable Then smash the HDD to bits with a sledgehammer. But seriously, we are talking about how to secure a networked computer. Numbers 1-7 might all add something to the security of the networked machine. I think it is important to deny access to collections of machines that are not legitimate clients. This is why I deny domains for all other continents. The current controversy has been about how much is added by 6. Something is added (maybe not a lot), but the cost in terms of inconvenience will vary from user to user. For me, it is fine with PermitRootLogin set to 'no,' so I'm keeping it. If it is a hassle for someone else, he should set it to 'yes' because he isn't getting a lot of security out of his 'no' setting. I'll send another message about sudo. There is no need to accuse people of "smoking crack" or of being retarded. Think about it - this is a legitimate cost/benefit question. Why get emotional about it? Mike _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list