Re: [tlug] server installation best practices/ worksheet

[Patrick Kellaher <kalmite@example.com>]

Sigurd Urdahl wrote:
> Parts of Erin's list is BP (best) at my work place, but some would be 
> "bad practices". Not because they are bad, but because we have 
> standardised on other ways of doing things.
> > 3.Disallow root log ons.[2]
> > 4.Change SSH default port to something else.[2]
> Both of these are no-no's in my department. It makes it easier to be 
> on call sysadmin if we keep SSH at the standard port, and there have 
> to be a very good reason for it if we expose that port to the 
> internet. Allowing root logins also makes the on call sysadmin's job 
> easier, we just try to change the passwords quite often. (we keep a 
> secure password database, and we have different passwords for every 
> security domain 

Just my 2 cents about #3, what dis-allowing root log ons does is create 
a fine grained audit trail.  What to know which sysad logged in at a 
particular time and made that change that inadvertently killed something 
else?  You will never know for sure if all the sysads log on with root.  
su and sudo add entries into the logs so you know who was doing what and 
when.

Now number 4 is a good idea to defend against automated attacks, but we 
all know that nmap does a very good job detecting what is running on a 
system.


Pat