Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras:
> Stroller wrote:
> > I install sudo, give my user wide sudo rights and then set
> > "PermitRootLogin no" in /etc/ssh/sshd_config.
> > (Critique of this measure welcomed).
>
> Since Hung already answered about the other problem, I'll just comment
> on this.
>
> It's a bad idea if the machine is open to the Internet, especially since
> it's easy to simply "su -" or "sudo" as a normal user.

Sorry, but I consider that to be BS advice (at least concerning that you want 
to leave password-authentication open).

I'd always recommend disabling root login for ssh (as soon as that is 
possible, i.e. you have an unpriviledged account who is in group wheel who you 
can use to access the machine in question), because root is a "well-known" 
user (and thus lends itself well to a [possibly distributed] ssh brute force).

When someone wants to "hack" your machine, he's always going to try known 
usernames before going on to guess what "additional" (unpriviledged) usernames 
might have been set up on your system. And, even when he gets access to one of 
your user accounts (who happen to be in group wheel), he still has to guess 
the root password (when doing su -) to be able to become root, and hopefully 
this buys you the time to see in your logs that someone tried local "su" with 
invalid passwords, which should always be a high priority alert.

YMMV, but I've felt pretty safe (safer than leaving root open for password-
authentication) like this so far.

-- 
Heiko Wundram
Gehrkens.IT GmbH

FON 0511-59027953 | http://www.gehrkens.it
FAX 0511-59027957 | http://www.xencon.net

Gehrkens.IT GmbH
Strasse der Nationen 5
30539 Hannover

Registergericht: Amtsgericht Hannover, HRB 200551
Geschäftsführer: Harald Gehrkens, Daniel Netzer