On Wed, Dec 08, 2004 at 09:13:03AM -0600, rpgoldman at real-time.com wrote:
> 
> Well, if I'm smoking crack, I'm not the only one.  From "Securing and
> Optimizing Linux: RedHat Edition -A Hands on Guide":
> 
> 
>  PermitRootLogin no
> 
>     The option PermitRootLogin specifies whether root can log in using
>     ssh. Never say yes to this option. 
> 

People are retarded, See below.

> 
>     Matthew> A bug in ssh isn't going to magicly say 'oh, but they
>     Matthew> have allowrootlogin turned off, i guess i won't be
>     Matthew> vulnerable today!'
> 
> Huh?  Well here's at least one reason:  all those bots that try
> repeatedly to do root login over ssh aren't going to get anywhere...
> 
> The internet storm center reports endemic ssh scans out in the wild.
> anything I can do to make this harder for them (including a little
> crack) is fine with me...

They're using dictionary attacks, if you're stupid enough to use a dictionary
password (you know, when passwd says THIS IS A BAD PASSWORD) then you deserve
to be rooted, exploited, shot in the head, etc. Those same ssh scanners
are also trying 'test' 'guest' 'toor' and a few other common account names

Relying on the obscurity of your usernames is not sufficient, stop picking
weak passwords, filter access from hosts that aren't supposed to be loggin 
in, use RSA/DSA keys, and it's a non-issue. (I think I mentioned this in
a previous email)

> 
> R

-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list