On Tue, May 10, 2016 at 01:30:48 -0700, Joe Zeff <joe@xxxxxxx> wrote:
Excellent advice. Linux never tells you if the username you're trying to log in with is right, just that the combination of username and password was wrong. The only username that a potential cracker knows exists is root, so if you allow remote log in as root, most of a cracker's job is already done. All they need to know is find the root
That is incorrect unless you are using very low entropy passwords. The difficulty of guessing a username should be much lower than that of guessing a password, so knowing a valid username should be almost no help to an attacker.
Also, because the kernel seems to have lots of local privilege elevation bugs, counting on being protected from total compromise if a normal user account is compromised is not a good idea.
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: http://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
