[lug] root password

Ken MacFerrin lists at macferrin.com
Wed Aug 2 16:44:06 MDT 2006

Sean Reifschneider wrote:
> On Wed, Aug 02, 2006 at 12:55:18PM -0600, Evelyn Mitchell wrote:
>>  tummy.com uses SSH keys, not passwords for remote and administrative
>>  access. One of the most sensitive times for security is during a change
> These days, we also recommend that SSH password authentication be disabled,
> because of the number of scans going on looking for weak passwords, and the
> rate of escalation of those scans.

I think you can still be pretty darn secure using password
authentication with the right config.

* A few obvious options:
PermitRootLogin no
PermitEmptyPasswords no

* Use a "whitelist" approach and only allow access for necessary users:
AllowUsers user1 user2

* Slow down any automated attacks by limiting the allowed number of
concurrent unauthenticated connections:
MaxStartups 10:30:60

* If possible for your setup, restrict logins to trusted IPs using TCP

Using these options (and a few ounces of common sense when choosing your
password) it's going to be more probably you'll get rooted from someone
exploiting a bug in another service on your machine than from a brute
force ssh attack..


More information about the LUG mailing list