Re: Password scan
- From: "Nico" <nkadel@xxxxxxxxx>
- Date: 23 Dec 2006 23:08:08 -0800
Ertugrul Soeylemez wrote:
Jim Garrison <jhg@xxxxxxxxxxxxxxx> (06-12-22 11:19:05):
2) Disable root login. If you need to do remote admin, login as a
normal user and use su or sudo. Remember to give your non-root
user sudo authority BEFORE you disable root login :-)
3) Disable password-based authentication and use key-based auth only.
In key-based auth every user must possess a unique private key file
in addition to the key-file's passphrase, and no password hash is
ever sent over the wire.
Bad idea. If you need to login to a normal user first, and then issue
su/sudo to become root, an attacker can easily guess the length of the
root password, by nothing more than counting packets. When using
key-based authentication, better login to root directly.
That has its own dangers. There are numerous reasons to force non-root
login first, but the main reason is tracking: which of the authorized
root users on a system logged in and blew up the system at 4:00 AM last
night? It also makes it easier to cut off one inappropriate or expired
user than to expire the root passwords on all machines that user has
root access to.
.
- Follow-Ups:
- Re: Password scan
- From: Ertugrul Soeylemez
- Re: Password scan
- References:
- Password scan
- From: christian_sava
- Re: Password scan
- From: Jim Garrison
- Re: Password scan
- From: Ertugrul Soeylemez
- Password scan
- Prev by Date: Re: Password scan
- Next by Date: Re: Password scan
- Previous by thread: Re: Password scan
- Next by thread: Re: Password scan
- Index(es):
Relevant Pages
|
