BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] PSA: no root login for SSH



On Wed, 23 Dec 2020 12:21:09 -0500
Daniel Barrett <dbarrett at blazemonger.com> wrote:

> This may be obvious, but... setting "PasswordAuthentication no" is
> also a good idea to protect against ALL password-based logins --
> root's or otherwise.  If sshd permits only (say) PubkeyAuthentication,
> then attackers can't log in unless they have stolen the necessary
> private key and decrypted its (hopefully very strong) passphrase.

This. Because it is trivially easy to find login names to feed brute
force attacks for examples "dbarrett" at blazemonger.com machines and
"worley" at ariadne.com. Using fail2ban to stop brute force attacks is
still a good idea, just in case of unpublished vulnerabilites that
might permit key auth bypass or you have services which are not easily
protected with key auth.

-- 
Rich Pieri