mhaney at ercbroadband.org
Wed Jan 14 16:45:27 UTC 2009
Kent Borg wrote:
> Mark Haney wrote:
>> However, if you don't allow root login via ssh the chance of an
>> attacker getting in is ZERO.
> Let me get this straight. You see a real difference between, say,
> 0.000000000000 and 0.000000000001? (What color is your car??)
Yes, I do. Just because the chance is small doesn't mean it won't ever
happen. Statistically speaking. I'd much rather know my root account is
safe. Granted, I still have to worry about my user account, but that's
one account as compared to two. It also reduces the number of
potential user accounts by half (in this case anyway). It's a smaller
attack profile and therefore easier to defend. It's interesting how
military tactics and strategy apply in these cases.
> Other machines of mine do not have a root login. OK, so on those
> machines crack my personal account (also not going to happen by brute
> force) and sudo your way to root. Same destination. Same amount of work.
> Whether script kiddies have something to bang against isn't going to
> matter: A brute force attack is not going to work. Moving sshd is not
> going to increase security*, and the extent to which anyone believes
> otherwise is also the extent to which s/he is being distracted from real
> issues. (Of which there are plenty.) There are FAR easier ways to break
> into my machines than brute force login attempts.
A brute force attack /can/ work, even with hard to guess passwords.
Anyone can get lucky enough to string the random sequence of letters and
numbers together to get a strong password, just as someone can hit
lottery. Granted, statistically it's exponentially harder, but it /can/
That's my point. If the chance of guessing a password is ZERO because
the account can't be accessed from that port, that's a far cry from
having a billionth of a chance. To me it's infinitely safer. Attackers
can spend forever trying to get my root password via ssh, but it'll
never happen. Whereas if I make root available for login via ssh, then
it's not zero but >0 and any number >0 constitutes a risk no matter how
> -kb, the Kent who not going to paint his car silver on the front half
> and black on the back half as a way to improve mileage.
> * Except in the case of a machine with a terrible password, in which
> case it is the *wrong* fix. Get a good password, and keep it secret.
> (Both radical suggestions for most people.)
Frustra laborant quotquot se calculationibus fatigant pro inventione
Sr. Systems Administrator
Call (866) ERC-7110 for after hours support
More information about the ubuntu-users