On Tue, 20 Nov 2007, bryanm@acsalaska.net wrote:
> On Mon, November 19, 2007 7:19 pm, Arthur Corliss wrote:
>> 1) Root/administrator accounts should *never* be allowed to log in
>> remotely. The only access to superuser accounts should be on a
>> physical console or via su from a wheel group member. Let me be
>> more blunt: if you allow root to log in remotely for any reason
>> you're an idiot.
>
> There's that vice-presidential spirit we're looking for. <grin>
That's the standard Corliss no-tact spirit. In terms of basic security I
just want everyone to know just how aggregious (and dangerous) this is. The
number one attack I see on my systems is still dictionary attacks. While a
strong password helps, for those using random combinations it's still just a
function of time -- and not much of that if there's some pure blind luck --
assuming no other precautions are taken.
Good security is about having lots of backup plans. When you combine all of
the countermeasures I suggest it becomes highly improbable that an attacker
will get a shell on the box (via ssh, anyways), and even if they do, they
still have more barriers in their way to get root.
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Nov 20 09:17:13 2007
This archive was generated by hypermail 2.1.8 : Tue Nov 20 2007 - 09:17:14 AKST