On Wed, 2016-05-11 at 10:07 -0500, Bruno Wolff III wrote: > On Tue, May 10, 2016 at 01:30:48 -0700, > Joe Zeff <joe@xxxxxxx> wrote: > > > > > > Excellent advice. Linux never tells you if the username you're > > trying > > to log in with is right, just that the combination of username and > > password was wrong. The only username that a potential cracker > > knows > > exists is root, so if you allow remote log in as root, most of a > > cracker's job is already done. All they need to know is find the > > root > That is incorrect unless you are using very low entropy passwords. > The > difficulty of guessing a username should be much lower than that of > guessing a password, so knowing a valid username should be almost no > help to an attacker. > > Also, because the kernel seems to have lots of local privilege > elevation > bugs, counting on being protected from total compromise if a normal > user > account is compromised is not a good idea. Virtually every security measure is a partial solution. There are no magic bullets. However just because a given measure is weak on its own doesn't mean it isn't useful in combination with others. Using a non- root user for remote login means that the vast majority of drive-by attackers will give up and move on. A targeted attack is of course another matter. poc -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: http://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
