[Discuss] PSA: no root login for SSH
Rich Pieri
richard.pieri at gmail.com
Wed Dec 23 13:08:23 EST 2020
On Wed, 23 Dec 2020 12:21:09 -0500
Daniel Barrett <dbarrett at blazemonger.com> wrote:
> This may be obvious, but... setting "PasswordAuthentication no" is
> also a good idea to protect against ALL password-based logins --
> root's or otherwise. If sshd permits only (say) PubkeyAuthentication,
> then attackers can't log in unless they have stolen the necessary
> private key and decrypted its (hopefully very strong) passphrase.
This. Because it is trivially easy to find login names to feed brute
force attacks for examples "dbarrett" at blazemonger.com machines and
"worley" at ariadne.com. Using fail2ban to stop brute force attacks is
still a good idea, just in case of unpublished vulnerabilites that
might permit key auth bypass or you have services which are not easily
protected with key auth.
--
Rich Pieri
More information about the Discuss
mailing list