From owner-freebsd-questions@FreeBSD.ORG Fri May 30 17:48:46 2008 Return-Path: Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E07A1065673 for ; Fri, 30 May 2008 17:48:46 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 308B98FC23 for ; Fri, 30 May 2008 17:48:45 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.1/8.14.1) with ESMTP id m4UHmcWR020791; Fri, 30 May 2008 19:48:39 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.1/8.14.1/Submit) id m4UHmc6Q020790; Fri, 30 May 2008 19:48:38 +0200 (CEST) (envelope-from olli) Date: Fri, 30 May 2008 19:48:38 +0200 (CEST) Message-Id: <200805301748.m4UHmc6Q020790@lurza.secnetix.de> From: Oliver Fromme To: freebsd-questions@FreeBSD.ORG, gilles.ganault@free.fr, wojtek@wojtek.tensor.gdynia.pl In-Reply-To: <20080530170151.D2560@wojtek.tensor.gdynia.pl> X-Newsgroups: list.freebsd-questions User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.2-STABLE-20070808 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Fri, 30 May 2008 19:48:44 +0200 (CEST) Cc: Subject: Re: Renaming "root" to "homer"? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@FreeBSD.ORG, gilles.ganault@free.fr, wojtek@wojtek.tensor.gdynia.pl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2008 17:48:46 -0000 Wojciech Puchar wrote: > > Peope have already pointed out that it is a bad idea to > > allow remote root logins, so I won't repeat that. :-) > > i like bad ideas :) except the worst idea - dumb generalization. If you disagree, please explain why. Otherwise your comment is pointless. > > But to answer your question: Renaming the "root" account > > will probably break quite a log of things, for example > > make 2 roots, root and homer in /etc/master.passwd Yes, that would work. You just have to make sure to disable password logins for root (i.e. "*"). Another idea would be to move sshd from the default port to a non-standard port, e.g. 222 or whatever. Typically ssh brute force attacks target port 22 only. This will also clear your logs from useless break-in attempts. Note that both suggestions (creating a "homer" user and using a different port) are _not_ security measures per-se, but rather "security by obscurity". You still have to use good passwords, or ssh keys. Another approach is to enable ssh connections only from certain source addresses or networks, using IPFW or PF. Of course that's only possible if you know in advance from which addresses you will need to be able to connect. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd cat man du : where Unix geeks go when they die