[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] ssh security

On Fri, Dec 17, 2004 at 06:45:22AM -0500, Rob Owens wrote:
> PermitRootLogin no Every hacker knows there is a user named
> "root" on your system. Don't allow root to ssh. Instead, ssh as
> your regular user and then su to become root. The hacker will
> then need to guess 2 sets of passwords in order to do get root
> access.
> AllowGroups AllowUsers These options are self-explanatory. If
> the administrator is the only one who needs to use ssh, then
> don't allow anybody else access. That makes for a lower number
> of valid login names for a hacker to guess at.

I have been meaning to ask the list, particularly Eric, if the
K12LTSP setups could be ship with a more restrictive SSH policy
out of the box.

The options I would propose are to limit SSH access to only
people in the staff group and disabling remote root logins.

  PermitRootLogin no
  AllowGroups staff

These are the two policies that I established with the HOSEF
installed K12LTSP servers. Until that happened, a few schools
were running production with generic user accounts and passwords.
Fortunately, the SSH policy was changed before the SSH scanning
bots got aggressive.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]