Date: Wed, 30 May 2007 02:06:38 -0700 From: perryh@pluto.rain.com To: freebsd-questions@freebsd.org Subject: Re: connecting user root with ssh Message-ID: <465d3e9e.uyoP2YaUttmVs6ON%perryh@pluto.rain.com> In-Reply-To: <465C1D68.8000502@yahoo.gr> References: <11066.217.114.136.135.1180427946.squirrel@llca513-a.servidoresdns.net> <499c70c0705290145w309bd308u83f39f3791c5b3f@mail.gmail.com> <465C1D68.8000502@yahoo.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
> > you are warned, do not allow SSH to your box with user root at all. > ... > Having root logon enabled remotely is just asking for trouble. The O.P. might be interested in knowing *why* allowing remote root login is considered unwise: * The name "root" is very well known. * If "root" can log in remotely, a cracker need only guess root's password to obtain root access. * If "root" cannot log in remotely, a cracker has to guess three things to obtain root access, instead of just one: + A valid username which is in the "wheel" group; + That user's password; + The root password. This at least doubles the difficulty of a brute-force attack: even if a suitable username were obvious, there would still be two passwords to be cracked. It can be made even tougher by having only one username (other than root) in the wheel group, choosing that name as if it were a password, and not allowing it to be externally known (e.g. never using it for mail).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465d3e9e.uyoP2YaUttmVs6ON%perryh>