On Wed, 2016-05-11 at 10:07 -0500, Bruno Wolff III wrote:
On Tue, May 10, 2016 at 01:30:48 -0700, Joe Zeff joe@zeff.us wrote:
Excellent advice. Linux never tells you if the username you're trying to log in with is right, just that the combination of username and password was wrong. The only username that a potential cracker knows exists is root, so if you allow remote log in as root, most of a cracker's job is already done. All they need to know is find the root
That is incorrect unless you are using very low entropy passwords. The difficulty of guessing a username should be much lower than that of guessing a password, so knowing a valid username should be almost no help to an attacker.
Also, because the kernel seems to have lots of local privilege elevation bugs, counting on being protected from total compromise if a normal user account is compromised is not a good idea.
Virtually every security measure is a partial solution. There are no magic bullets. However just because a given measure is weak on its own doesn't mean it isn't useful in combination with others. Using a non- root user for remote login means that the vast majority of drive-by attackers will give up and move on. A targeted attack is of course another matter.
poc