On Fri, Jan 6, 2012 at 00:56, Rory Browne <rbmlist at gmail.com> wrote:
> Whoops - forgot to include ilug@ first time around.
>>> ---------- Forwarded message ----------
> From: Rory Browne <rbmlist at gmail.com>
> Date: 5 January 2012 11:22
> Subject: Re: [ILUG] Help with web site security
> To: Niall O Broin <niall at magicgoeshere.com>
>>> On 5 January 2012 09:50, Niall O Broin <niall at magicgoeshere.com> wrote:
>> On 5 Jan 2012, at 08:21, Kevin Brennan wrote:
>>>>> - make sure root access via ssh is disabled
>>>> I see this touted now and then. What is the rationale? What I hear offered is "Well, you first have to get access to an account, and then you have to have the root password" i.e. you're forcing one extra layer of security . Well, why not then force 2 extra, with e.g. hardware tokens. Or 3 extra, with IP address restrictions too.
>> I'm not sure where you're coming from here. Depending on the security
> requirements of the host/service in question, then you'd decide how
> many layers of security you need, verses the cost ( including time /
> effort ) of each one. I think disabling root via ssh is a relatively
> cheap layer to add, in time, effort, inconvenience, and cash terms.
> Some environments do indeed implement these three layers, as well as a
> fourth time-based layer.
Some would argue that adding user accounts provides another vector for
attack. Personally, I would agree with most of the arguments (for
logging in as root) in the following post:
Would also agree with requiring passphrased keys to login. I don't
know the root password for many of the boxes I administer, though
given that I have root access, I could change it if required. Our
typical xen/ganeti VM creation scripts create a scrambled root
password (ala pwgen -c 32) and puppet deploys/removes the ssh keys of
those who are allowed to log in.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!