[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Monday 03 October 2005 14:41, William Fidell wrote: Joining in 5 days late as per normal. (yes, i am still alive!) > But in common with other repliers I would not allow root login via ssh. > Or, in fact, allow root to log in using any method. I've had this dicussion time and time again [1], but there is ABSOLUTLY NOTHING wrong with allowing root login with without-password. in fact, allowing root login with an ssh key is more secure than ssh'ing in as a normal user and su'ing to root [2] (when one of either the account or su request password). I can't be arsed to check what started this post - but - i fail to understand the whole concept of honeypots other than for analysis by people with clue. If you have a problem with attempts to brute force accounts (more than likly in an attempt trying to make money or fame, ahem), then you should surly just move to ssh keys? If you still need passwords because you want to access your machines from insecure non-trusted machines, then .. pick an obscure username [3] make sure you have a decent password [4], and hope whichever mahcien you are logging in from doesn't have a keylogger installed either at OS or app layers. Honeypots do absolutly nothign other than put you more at risk than you were before. Unless you're running SEL and *really* know what you're doing with it (and even then i probably wouldn't trust you running it), then someone is easily goign to be able to break out of the honeypot and screw you over somehow. Ohh, and did i mention even if they can't do anythign evil in the honeypot, as long as they have IP access they could spam, dos, shaare files and porn (including kiddy porn - and potentially get you arrested), host a harvesting website, or use your machine as a hop to cover their tracks. If they've got into the honeypot and you're behind NAT, you've just let someone straight into your network - well done. You do of course use vlans, right? ~ Theo, going back to sleep for another 5 months. 1 - Search back about 3 years through the archives and you might find the posts :) 2 - Keystroke logging, in a number of cases, is easier than retreiving a piece of data from a machine. Either way if your machine you are logging in from is compromised, you're fucked. 3 - 'zourzouvillys' is a good example of obscure (for the example of automated brute forcing, at least.) ;) 4 - which you've got already, right? -- Theo P. Zourzouvillys theo@xxxxxxxxxx -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html