About ssh login

John Summerfield debian at herakles.homelinux.org
Wed Jan 30 23:12:08 UTC 2008


Mikkel L. Ellertson wrote:
> Ritesh Yeole wrote:
>> Dear Sir,
>>                 I want to ssh to my client ,there is sonic-firewall .
>>
>> In firewall  static ip nat with server ip
>> Now i want to ssh it then it ask for password but when passwd put is 
>> says=
>> [root at ndtest ~]# ssh ultra
>> root at ultra's password:
>> Permission denied, please try again.
>> root at ultra's password:
>> Permission denied, please try again.
>> root at ultra's password:
>> Permission denied (publickey).
>> =================[root at ndtest ~]# ssh raisoni
>> root at raisoni's password:
>> Permission denied, please try again.
>> root at raisoni's password:
>> Permission denied, please try again.
>> root at raisoni's password:
>> Permission denied (publickey,gssapi-with-mic,password).
>> [root at ndtest ~]#
>>
>>
>> Plz tell me what is difference between them and how it is solved.
>>
>>
>> Thanks
>> Ritesh
>>
> The default sshd setup does NOT allow root to log in. It is usually a 

Really?
20:01 [summer at numbat ~]$ root 172.17.0.11
The authenticity of host '172.17.0.11 (172.17.0.11)' can't be established.
RSA key fingerprint is eb:68:48:61:00:9a:24:ce:81:51:ed:d9:82:b9:92:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.11' (RSA) to the list of known hosts.
root at 172.17.0.11's password:
Last login: Thu Jan 31 06:01:38 2008
[root at localhost ~]#

That's a freshly-installed CentOS5 box. I don't imagine the CentOS folk 
changed that.




> bad idea to root logins from the Internet because it exposes the root 
> account to automated cracking attempts. If you must allow root logins 
> from the internet, at least limit it to using key pairs. If you can, 
> also limit it to connections for a specific IP address, or range of 
> addresses.

Rat-limiting with iptables is good. Blocking China. Japan, USA, Mexico 
is good if you don't live there.

> 
> As others have said, it is better to log in as a normal user, and then 
> become root. It does not eliminate automated attacks, but it does make 
> them harder.

I limit ssh from most of the world to five/hour. It makes it dashed hard 
to guess even a weak password.


-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)




More information about the fedora-list mailing list