About ssh login
John Summerfield
debian at herakles.homelinux.org
Wed Jan 30 23:12:08 UTC 2008
Mikkel L. Ellertson wrote:
> Ritesh Yeole wrote:
>> Dear Sir,
>> I want to ssh to my client ,there is sonic-firewall .
>>
>> In firewall static ip nat with server ip
>> Now i want to ssh it then it ask for password but when passwd put is
>> says=
>> [root at ndtest ~]# ssh ultra
>> root at ultra's password:
>> Permission denied, please try again.
>> root at ultra's password:
>> Permission denied, please try again.
>> root at ultra's password:
>> Permission denied (publickey).
>> =================[root at ndtest ~]# ssh raisoni
>> root at raisoni's password:
>> Permission denied, please try again.
>> root at raisoni's password:
>> Permission denied, please try again.
>> root at raisoni's password:
>> Permission denied (publickey,gssapi-with-mic,password).
>> [root at ndtest ~]#
>>
>>
>> Plz tell me what is difference between them and how it is solved.
>>
>>
>> Thanks
>> Ritesh
>>
> The default sshd setup does NOT allow root to log in. It is usually a
Really?
20:01 [summer at numbat ~]$ root 172.17.0.11
The authenticity of host '172.17.0.11 (172.17.0.11)' can't be established.
RSA key fingerprint is eb:68:48:61:00:9a:24:ce:81:51:ed:d9:82:b9:92:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.11' (RSA) to the list of known hosts.
root at 172.17.0.11's password:
Last login: Thu Jan 31 06:01:38 2008
[root at localhost ~]#
That's a freshly-installed CentOS5 box. I don't imagine the CentOS folk
changed that.
> bad idea to root logins from the Internet because it exposes the root
> account to automated cracking attempts. If you must allow root logins
> from the internet, at least limit it to using key pairs. If you can,
> also limit it to connections for a specific IP address, or range of
> addresses.
Rat-limiting with iptables is good. Blocking China. Japan, USA, Mexico
is good if you don't live there.
>
> As others have said, it is better to log in as a normal user, and then
> become root. It does not eliminate automated attacks, but it does make
> them harder.
I limit ssh from most of the world to five/hour. It makes it dashed hard
to guess even a weak password.
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
More information about the fedora-list
mailing list