On 5 Jan 2012, at 08:21, Kevin Brennan wrote:
> - make sure root access via ssh is disabled
I see this touted now and then. What is the rationale? What I hear offered is "Well, you first have to get access to an account, and then you have to have the root password" i.e. you're forcing one extra layer of security . Well, why not then force 2 extra, with e.g. hardware tokens. Or 3 extra, with IP address restrictions too.
> - move ssh from port 22
If moving ssh from port 22 enhances your security, then you're doing it wrongly. All that does is keep your log files less cluttered by getting rid of (most of) the script kiddies. The only way they can get in is by guessing passwords, and you absolutely should not allow password authenticated access via ssh for that very reason - key based access is the way to go.
> - install denyhosts
Or fail2ban, which can secure more than just ssh.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!