On 05/10/2016 01:03 AM, Patrick O'Callaghan wrote:
Much more important is to keep tight control of logins from outside your network. Only allow SSH, don't allow it to the root account, only allow it using token (not password) access, and run fail2ban.
Excellent advice. Linux never tells you if the username you're trying to log in with is right, just that the combination of username and password was wrong. The only username that a potential cracker knows exists is root, so if you allow remote log in as root, most of a cracker's job is already done. All they need to know is find the root password and your box is pw0ned. Once you've set ssh up not to allow remote root login, any cracker has to find the right combo of username and password before fail2ban and/or denyhost blocks them.
If you really want to be careful, don't put any regular users in the wheel group, including yourself, and don't set anybody up with sudo. It's your system, you installed it and you know the root password. Use su (or su - if you only need to run one command as root) because that way anybody who does get into your system via ssh doesn't get automatic admin access. And as far as taking my own advice, the only reason I have sudo installed is because some install/update scripts use it (I've no idea why, as they're already run as root.) and I've had updates barf if it's not there.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: http://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
