Firewalls and Virusscanners

Darryl Moore darryl at moores.ca
Tue May 26 00:41:37 UTC 2009


These are interesting points.

I give root a password on my network machines. They are all strong
passwords, and every machine has a different root password, so that if
one gets compromised it doesn't directly threaten the entire network. I
know Ubuntu doesn't allow root login, and I presume the idea behind this
is to simply provide a second unknown (the  access user name) to a would
be intruder.  This really is no more secure than having a sufficiently
strong password though.

/I don't allow root to login from outside without a password. If my
laptop is ever stolen, then at least one of my servers stands to be
compromised.

Another thing that is good to do that you don't mention is running sshd
on a non-standard port. I frequently get breakin attempts on port 22.
Where I run sshd though no one ever tends to look.

cheers,
darryl

/glen Merrick wrote:
>  don't give root a password (use sudo) whenever possible and if 
> your are running an ssh server outside of your router ie, naked on the 
> internet, ensure that you can only log into your machine using openssl 
> generated keys (or even if you access your computer from outside your 
> system use openssl keys).  From there, if you do access your computer 
> from outside your lan, create a non-admin privledge account that you can 
> ssh into using openssl keys and then do a local ssh to whatever account 
> you want to use, or do a su - account name (ssh cleaner and potentially 
> safer).  If your running an apache server, that's another bucket of 
> worms that are best left to others.
>
> Regards,
>
> Glen Merrick
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-ca/attachments/20090525/13485537/attachment.html>


More information about the ubuntu-ca mailing list