comp.os.linux.networking

In comp.os.linux.misc Unruh wrote:
> Ignoramus10392 writes:
>>On 2008-04-07, Peter Ludikovsky wrote:
>>> Ignoramus10392 wrote:
>>>> On 2008-04-07, Peter Ludikovsky wrote:
>>>>> Ignoramus10392 wrote:
>>>>>> Given prevalence of SSH dictionary attacks, I want to fortify my
>>>>>> systems a little.

>>>>>> I have several local (inside the house) users who I do NOT want to be
>>>>>> able to log on from outside via ssh.

>>>>>> I would like to disable any remote SSH logins for these users.

>>>>>> How can I do that?

>>>>>> thanks
>>>>> man 5 sshd_config
>>>>> Look at the AllowUsers / DenyUsers entries

>>>> Looks great to me. Thanks. I assume that if I say AllowUsers
>>>> ...,root,... then, on conjunctions with PermitRootLogin
>>>> without-password the passworded root login will not be allowed.

>>>> I will try to verify everything.

>>>> i

>>> Security-wise it would be better to say "PermitRootLogin no" and
>>> "su"||"sudo" when needed. Also, setting "PasswordAuthentication no" and
>>> using Public Key Authentication is a good idea.

>>> hth
>>> /peter

>>Thanks. It worked fine. I have permitrootlogin without-password.

>>I do need from time to time to perform root tasks from scripts, for
>>example restarting named after DNS zone files update. I cannot fully
>>disable root login, though not letting passworded root logins is a
>>good idea which I already follow.

> You did not understand him. Disallow root logins. Then you can get in as
> yourself and then su or sudo to root.

Also he didn't understand how to configure bind to allow zone
transfers to happen securely, I fear...

[..]

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 103: operators on strike due to broken coffee
machine