[Gllug] honeypots and iptables redirects?

[Doug Winter]

Russell Howe wrote:
> If they were lax enough to have an old ssh installed, or weak passwords,
> or enabled root login over ssh on an internet-accessible machine, then
> the chances of them reacting sensibly to being told that their machine
> is compromised are pretty low, I expect.

At the risk of putting the cat amongst the pigeons (in fact, I'm donning 
my flame-proof long johns now), I don't think having remote root logins 
enabled over ssh makes any real difference to security, unless you only 
log in as root over a physical console (or you have a poor root password 
of course).

If someone can gain a normal user account on a machine, then you have to 
assume that they can get root, so stopping remote root logins doesn't 
make much difference.

Having remote root logins enabled can be useful if you have problems 
with your machine - there are kinds of failure where you can only log in 
as root, and having this enabled does mean you can fix these classes of 
problem remotely.

Enabling remote root logins does sort of theoretically increase the 
chance of a success in a dictionary attack, because there are more 
targets, but if your passwords are strong I don't think this is a real risk.

If you are really concerned about brute-force password attacks, then 
it's better to disable password logins completely and only allow public 
key based authentication.  You can then have remote root logins without 
the risk of a brute-force on the password.  Just don't lose the key :)

doug.

-- 
http://adju.st/
Cricket is not the new football. It is the new cricket, which is a
hundred times better. -- Lawrence Booth
6973E2CF: 2C95 66AD 1596 37D2 41FC 609F 76C0 A4EC 6973 E2CF
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug