Firewalls and Virusscanners
Darryl Moore
darryl at moores.ca
Tue May 26 00:41:37 UTC 2009
These are interesting points.
I give root a password on my network machines. They are all strong
passwords, and every machine has a different root password, so that if
one gets compromised it doesn't directly threaten the entire network. I
know Ubuntu doesn't allow root login, and I presume the idea behind this
is to simply provide a second unknown (the access user name) to a would
be intruder. This really is no more secure than having a sufficiently
strong password though.
/I don't allow root to login from outside without a password. If my
laptop is ever stolen, then at least one of my servers stands to be
compromised.
Another thing that is good to do that you don't mention is running sshd
on a non-standard port. I frequently get breakin attempts on port 22.
Where I run sshd though no one ever tends to look.
cheers,
darryl
/glen Merrick wrote:
> don't give root a password (use sudo) whenever possible and if
> your are running an ssh server outside of your router ie, naked on the
> internet, ensure that you can only log into your machine using openssl
> generated keys (or even if you access your computer from outside your
> system use openssl keys). From there, if you do access your computer
> from outside your lan, create a non-admin privledge account that you can
> ssh into using openssl keys and then do a local ssh to whatever account
> you want to use, or do a su - account name (ssh cleaner and potentially
> safer). If your running an apache server, that's another bucket of
> worms that are best left to others.
>
> Regards,
>
> Glen Merrick
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-ca/attachments/20090525/13485537/attachment.html>
More information about the ubuntu-ca
mailing list