On Wed, Jun 14, 2006 12:38:51 PM -0500, Les Mikesell
(lesmikesell@xxxxxxxxx) wrote:
> On Wed, 2006-06-14 at 18:56 +0200, M. Fioretti wrote:
>
> > I've read on several howtos that one way to make ssh more secure,
> > or at least reduce the damage if somebody breaks in, is to NOT
> > allow direct ssh login from root, but allow logins from another
> > user. So you have to know two passwords in order to do any real
> > damage.
[...]
> Normally you would want people to use their own account for the
> initial login - and to use good passwords so a dictionary attack
> isn't likely to work.
I agree, but normal users have no reason to exist on that particular
box. It is a web and email server, nothing more. Even email is handled
via virtual users.
If I create another Unix account (my_aux_login), it will only be so I
can disable ssh directly as root and then ssh into the box with that
login, to immediately su to root for system administration. So my
original question means:
(must I)/can I reduce as much as possible the privileges/access rights
of the my_aux_login account? so that if somebody breaks _its_
password, it won't be able to do anything, including browsing around
to see what's installed?
If yes, how?
Marco
--
Marco Fioretti mfioretti, at the server mclink.it
Fedora Core 3 for low memory http://www.rule-project.org/
If you want to make God smile, make a plan - Anonymous
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
