James Gregory wrote:
>> 1) Only use strong passwords.
>
> I agree - there's very little you can do about this.
I disagree, make ssh keys mandatory, especially if there is a super user
account involved, obviously this can be re-enabled but most people don't
mess with default settings.
>> 2) Don't use passwords at all, only keys.
>
> That wouldn't be a bad idea, but as you rightly mention, those who
> aren't used to using keys (or carrying them around [bad idea?]) would
> be stuck here.
The super user account could be called something other than "root", and
"root" username given no access to the system.
>> 3) Disable root login.
>
> I would say yes for every OS. There shouldn't really be any need to
> log in as root (esp if you can su/sudo up to it).
Doing semi-complete/complete backups via rsync/rsnapshot is difficult
using a non-SU account.
>> 4) Restrict the list of usernames that are valid, in combination
>> with (1) and (3).
>
> Difficult to implement, as you say.
Or just don't have many/any system accounts, many things like web and
ftp have been able to have virtual/non-system accounts for years, and
jail processes where possible and drop privileges where possible, there
is lots of things that should be done here.
>> 5) Install DenyHosts or Fail2Ban.
>
> I don't think there would be anything wrong with doing this. Yes, some
> people might find it controversial, but surely they can remove it if
> they please.
I've had no end of trouble with things like this in the past, it ended
up more trouble than it was worth.
>> 6) Move sshd to another port.
>
> More of a security by obscurity approach, but it would limit the
> inbound attacks.
I don't treat this as security by obsecurity, I treat this as limiting
dictionary attacks on my servers, it doesn't stop an attacker, it does
stop bots.
--
Best regards,
Duane
http://www.freeauth.org - Enterprise Two Factor Authentication
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Global Communication for the 21st Century
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
