Setting SSH "PermitRoot no" and "PasswordAuthentication no" are
good starts... I'd also check that "ChallengeResponseAuthentication
no" is set as well as some PAM modules will utilize it and be able
to get around passwords being entered as well as "UsePAM no" I do agree locking the root password isn't advisable. As I use configuration management/automation to handle my servers I simply set the root password to generated password that only I know the algorithm to reproduce it when I need to, but enable sudoers for all other 'root' access. I also go further by utilizing Duo Security as a MFA for SSH logins to my servers for accounts authorized to log in. On 2/17/2016 10:26 AM, Peter Ludikovsky wrote: More or less. What I wouldn't agree with is locking the root account> |
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature