SSH on by default? (Was: too many deamons by default - F7 test 2 live cd)

Arthur Pemberton pemboa at gmail.com
Wed Mar 21 22:45:01 UTC 2007


On 3/21/07, Nicolas Mailhot <nicolas.mailhot at laposte.net> wrote:
> Le mercredi 21 mars 2007 à 20:42 +0100, Thomas M Steenholdt a écrit :
> > Alexander Boström wrote:
> > >
> > >> Lets settle for a default configuration with a good balance between
> > >> usability and security. Like perhaps disabling root login or something.
> > >
> > > Taking over a user account is really almost as bad as root access. The
> > > typical desktop user is thoroughly screwed regardless.
> > >
> >
> > I agree that compromising a user account is still bad. But not nearly as
> > bad as root access (if one must choose), but if root access through ssh
> > is disabled by default, attack scripts would have to *guess* a user to
> > bruteforce and can't rely on bruteforcing "root" who exists on every
> > *nix system.
>
> attackers *do* brute-force usernames, probably because root is usually
> secured but you can hope hitting a user account with no password
>
> install pam_abl. It will profile the attacks for you (for exemple on my
> system root is the most attacked user but this is dwarfed by one-shot
> dictionary-user tries)

Hence my point of havign root login off by default.

-- 
Fedora Core 6 and proud




More information about the fedora-devel-list mailing list