Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] server installation best practices/ worksheet



Sigurd Urdahl wrote:

Parts of Erin's list is BP (best) at my work place, but some would be "bad practices". Not because they are bad, but because we have standardised on other ways of doing things.
3.Disallow root log ons.[2]
4.Change SSH default port to something else.[2]
Both of these are no-no's in my department. It makes it easier to be on call sysadmin if we keep SSH at the standard port, and there have to be a very good reason for it if we expose that port to the internet. Allowing root logins also makes the on call sysadmin's job easier, we just try to change the passwords quite often. (we keep a secure password database, and we have different passwords for every security domain

Just my 2 cents about #3, what dis-allowing root log ons does is create a fine grained audit trail. What to know which sysad logged in at a particular time and made that change that inadvertently killed something else? You will never know for sure if all the sysads log on with root. su and sudo add entries into the logs so you know who was doing what and when.


Now number 4 is a good idea to defend against automated attacks, but we all know that nmap does a very good job detecting what is running on a system.


Pat


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links