[K12OSN] ssh security
Vince Hoang
vince at litrium.com
Sat Dec 18 03:03:12 UTC 2004
On Fri, Dec 17, 2004 at 06:45:22AM -0500, Rob Owens wrote:
> PermitRootLogin no Every hacker knows there is a user named
> "root" on your system. Don't allow root to ssh. Instead, ssh as
> your regular user and then su to become root. The hacker will
> then need to guess 2 sets of passwords in order to do get root
> access.
>
> AllowGroups AllowUsers These options are self-explanatory. If
> the administrator is the only one who needs to use ssh, then
> don't allow anybody else access. That makes for a lower number
> of valid login names for a hacker to guess at.
I have been meaning to ask the list, particularly Eric, if the
K12LTSP setups could be ship with a more restrictive SSH policy
out of the box.
The options I would propose are to limit SSH access to only
people in the staff group and disabling remote root logins.
PermitRootLogin no
AllowGroups staff
These are the two policies that I established with the HOSEF
installed K12LTSP servers. Until that happened, a few schools
were running production with generic user accounts and passwords.
Fortunately, the SSH policy was changed before the SSH scanning
bots got aggressive.
-Vince
More information about the K12OSN
mailing list