comp.os.linux.networking
back to index
From: David Brown
Date: Monday, April 07, 2008 3:16 PM
Subject: Re: How to PREVENT a user from logging in through SSH
Chris Mattern wrote:
> On 2008-04-07, Ignoramus10392
>> On 2008-04-07, Keith Keller
>>> On 2008-04-07, Ignoramus10392
>>>> I do need from time to time to perform root tasks from scripts, for
>>>> example restarting named after DNS zone files update.
>>> That is what su and sudo are for.
>>>
>>>
>> I thought that both su and sudo require the user to enter a password?
>>
> su does requires the password of the user you are switching to (unless
> you're root already). sudo *normally* requires the password of the
> user who invokes it as a additional security measure but can be
> configured to not require it. I would regard setting up a utility
> account with NOPASSWORD sudo privileges as more secure than letting
> root log directly in via SSH, as you can limit the utility account
> to be able to do as root only the things you list in sudo.
>
The other advantage of doing it this way is that any attacker using
brute-force attacks needs to guess the name of the utility account as
well as the password.
Other useful tricks for ssh security are to rate-limit the port
(especially on any internet-facing ports) - setting a limit of 3 per
minute with a burst of 3 lets you easily log in, but will ruin brute
force password crackers or denial of service attacks on the port. It
can also be worth putting ssh on a non-standard port - use a high port
number, and maybe have some automatic blacklisting for neighbouring
ports, so that port scans will not catch the open ssh port.
