Personal computing discussed
Moderators: renee, SecretSquirrel, notfred
titan wrote:I guess if the NSA likes SELinux....
just brew it! wrote:titan wrote:I guess if the NSA likes SELinux....
They don't just like it... they developed it!
Some may actually consider that to be a disadvantage; but given that it is Open Source, the potential for NSA-mandated back doors is essentially nil.
just brew it! wrote:- Disable remote SSH access for the root account, and any user accounts which do not need the ability to log in remotely. Remote CLI admin tasks can still be performed by establishing a SSH session as a non-root user, then using su or sudo to run administrative commands.
radix wrote:Because the attacker will have to break two passwords instead of one: the users' and then root.
just brew it! wrote:It also means the attacker doesn't know the name of the account that has SSH access ahead of time. The problem with the root account is that it always has the same name, so the attacker doesn't have to guess the account name and crack the password; they only have to crack the password.
bthylafh wrote:just brew it! wrote:It also means the attacker doesn't know the name of the account that has SSH access ahead of time. The problem with the root account is that it always has the same name, so the attacker doesn't have to guess the account name and crack the password; they only have to crack the password.
You can rename the root account, not so? It just has to stay as account#1 #0.
jmcknight wrote:As a Linux server admin, here are a few tips:
1. For OpenSSH, in /etc/ssh/sshd_config, use the AllowUsers variable to limit who can login. This is good if you have a bunch of accounts but don't want everyone to have shell access.
2. Bind MySQL's listening address to 127.0.0.1
3. Only allow access to Samba via your LAN if possible.
cheesyking wrote:RSSH is quite cool too, lets you give users accounts that can only rsync/scp/sftp etc into a chrooted directory. Also lets you specify a umask too.
titan wrote:Sure you can. It's not a great idea (since various tools and scripts are often hardcoded to use the username root rather than uid 0), but root is just a name.No, the root account cannot be renamed. It's root. The root of all that is root.
bitvector wrote:titan wrote:Sure you can. It's not a great idea (since various tools and scripts are often hardcoded to use the username root rather than uid 0), but root is just a name.No, the root account cannot be renamed. It's root. The root of all that is root.