Re: Password scan
- From: John Thompson <john@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 23 Dec 2006 16:04:22 -0600
On 2006-12-23, Ertugrul Soeylemez <never@xxxxxxxxxxxxxx> wrote:
Jim Garrison <jhg@xxxxxxxxxxxxxxx> (06-12-22 11:19:05):
2) Disable root login. If you need to do remote admin, login as a
normal user and use su or sudo. Remember to give your non-root
user sudo authority BEFORE you disable root login :-)
3) Disable password-based authentication and use key-based auth only.
In key-based auth every user must possess a unique private key file
in addition to the key-file's passphrase, and no password hash is
ever sent over the wire.
Bad idea. If you need to login to a normal user first, and then issue
su/sudo to become root, an attacker can easily guess the length of the
root password, by nothing more than counting packets. When using
key-based authentication, better login to root directly.
How so? They still have to guess the password (actually two -- one for
the user account from which to invoke su/sudo and another for su/sudo
itself), and while they're doing that they're generating a log entry for
every failed attempt. Any sysadmin with a functioning brain cell is
going to perk up at that.
--
John (john@xxxxxxxxxxx)
.
- Follow-Ups:
- Re: Password scan
- From: Ertugrul Soeylemez
- Re: Password scan
- References:
- Password scan
- From: christian_sava
- Re: Password scan
- From: Jim Garrison
- Re: Password scan
- From: Ertugrul Soeylemez
- Password scan
- Prev by Date: Re: iptables, port scan, sendmail overload
- Next by Date: Re: Password scan
- Previous by thread: Re: Password scan
- Next by thread: Re: Password scan
- Index(es):
Relevant Pages
|
|
