On Mon, Jan 28, 2008 at 10:36:03PM -0500, Jim Perrin wrote: > Along the lines of staying safe, now is probably a good time to check > your password policies. > > 1. Don't allow root access to ssh. (modify /etc/ssh/sshd_config) > 2. restrict root logins to only the local machine. (modify /etc/securetty) > 3. Limit users with access to 'su' to the wheel group (use visudo and > also modify /etc/pam.d/su) > 4. Make sure root is the only one with a uid of 0. ( awk -F: '($3 == > "0") {print}' /etc/passwd ) > 5. Use pam to require strong passwords. (install/use pam_passwdqc > which is part of the base distro, modify /etc/pam.d/system-auth ) > 6. Use denyhosts or pam.tally2 to restrict login attempts. > 7. use ssh keys. > > And above all, because I know many admins slack on this, and I'm > guilty of it as well if it's not forced... ROTATE your passwords > periodically > > The recommended password requirements for root: at least 10 characters > with a mix of upper/lower case, special characters, and numbers. > > Discussion, and alternate suggestions welcome. I will add to that list, change ssh port 22 to somthing else Regards Alfredo The Sauce _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos