From owner-freebsd-questions@FreeBSD.ORG Thu Sep 16 17:50:56 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06CEA16A4CE for ; Thu, 16 Sep 2004 17:50:56 +0000 (GMT) Received: from wingfoot.org (caduceus.wingfoot.org [64.32.179.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA69E43D1F for ; Thu, 16 Sep 2004 17:50:55 +0000 (GMT) (envelope-from ges+lists@wingfoot.org) Received: from localhost (localhost.wingfoot.org [127.0.0.1]) by wingfoot.org (Postfix) with ESMTP id D2C411F446D; Thu, 16 Sep 2004 13:50:54 -0400 (EDT) Received: from wingfoot.org ([127.0.0.1]) by localhost (caduceus.wingfoot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03644-03; Thu, 16 Sep 2004 13:50:54 -0400 (EDT) Received: from [127.0.0.1] (unknown [64.32.179.50]) by wingfoot.org (Postfix) with ESMTP id E177B1F446C; Thu, 16 Sep 2004 13:50:53 -0400 (EDT) Message-ID: <4149D268.6020305@wingfoot.org> Date: Thu, 16 Sep 2004 13:50:32 -0400 From: Glenn Sieb Organization: Wingfoot Organization User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Thunderbird/0.8 Mnenhy/0.6.0.104 X-Accept-Language: en-us, en MIME-Version: 1.0 To: John DeStefano References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at wingfoot.org cc: freebsd-questions@freebsd.org Subject: Re: increasing failed sshd logins/clearing breadcrumb trails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Sep 2004 17:50:56 -0000 John DeStefano said the following on 9/16/2004 10:40 AM: >>>The easiest way to protect this is to check your sshd_config and >>> >>> >>set: >> >> >>>PermitRootLogin no >>> >>> >Interestingly, this option did not exist in my config file (I added >it), but all other options were commented out. Is this the default? >Is it wise to leave it this way? > > Yes--it's in man sshd_config: PermitRootLogin Specifies whether root can login using ssh(1). The argument must be ``yes'', ``without-password'', ``forced-commands-only'' or ``no''. The default is ``no''. Note that if ChallengeResponseAuthentication is ``yes'', the root user may be allowed in with its password even if PermitRootLogin is set to ``without-password''. If this option is set to ``without-password'' password authenti- cation is disabled for root. If this option is set to ``forced-commands-only'' root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. If this option is set to ``no'' root is not allowed to login. Best, Glenn -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin, Historical Review of Pennsylvania, 1759