Thomas Harold wrote: > On 3/19/2014 2:50 PM, Ned Slider wrote: >> >> Just to add, I'm sure everyone has already read and implemented many of >> the suggestions here: >> >> http://wiki.centos.org/HowTos/Network/SecuringSSH >> >> Numbers 2 and 7 have already been highlighted in this thread. > > #1 These days I would say that 8 chars minimum length is too few, even > if they are completely random (and most won't be). If you're not > willing to type gibberish, then a more reasonable minimum length is > 12-14. Especially for your root password (or other administration > accounts). And most people can remember that? And then there's the annoyance factor. > > If you have your users creating 15+ character passwords, don't make them > change it every 30/60/90 days. Password aging hurts more then it helps > as passwords grow longer. Users are more likely to adopt poor behavior > like simply adding or incrementing numbers from month to month. Longer > durations, like 3-5 years, give the users time to memorize the password > rather then just keeping it on a sticky on the desk. Unfortunately, the real issue on this is that I think most of us here do *not* have control of that, that's upper management. And even though NIST says, I think, 2 years, I'm at a US gov't agency and it's the inane 2 months.... Though I will say the *really* bad places are the folks who compare it to previous passwords, and do their best to keep you from having any pattern at all, and so making it a *lot* harder to remember your current one. When I worked at AT&T, a few years back, for the very first time, I had a *list* of passwords for different systems (not the ones that we controlled).... As Bruce Schneir says, security theater. > > #2 (disable root login) is a must for any public facing box, and a > strong recommendation for all other boxes. It's the top target of > attack, so why allow it to be attacked at all? Other than at the console, yep. And as you note later, if someone can log in as root to the console who shouldn't, you've got much larger security issues. > > #5 (non-standard port) is very useful. Not for protecting yourself > against attack, but from not having your log files fill up with all of > the automated attack scripts. Which makes it easier to spot the more > serious attackers who have taken the time and effort to find your SSH > port. Huh! That's the *only* rationale I've ever heard for security through obscurity that actually makes sense. (One of my ongoing "goals" for the annual review is cutting down the noise in our logs.) <snip> mark