Reply to post: Re: the system packages for most distros are totally open by default.

Linux malware? That'll never happen. Ok, just this once then


Re: the system packages for most distros are totally open by default.

But sudo caters for allowing users just the elevated access they need, not to sudo to a root shell.

I was a Unix admin for many years and would never allow someone sudo to ALL unless it were me, and always require a password (which has a minimum length and complexity of course). If you're the admin of a Linux server, you generally know how these things work and don't break the golden rule of allowing people access to things they don't need.

The default sshd_config is to not allow root logins. Sometimes you do need to login as root, though, and in that case disallow password logins entirely and use a key pair. When I have sshd running and my IP address is external, logs generally show thousands of attempts (mostly from China, Korea and eastern Europe) of a root login. Even though they fail it's pretty scary how many automated hackers there are and it only takes one careless admin to allow them opportunity.

Man page for sshd_config is here and states the defaults, which are pretty secure. I'd still remove password logins on all accounts and edit the hosts.allow and hosts.deny files.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021