grim wrote:
> if the passwords are as weak as roland's seems to be the
> 'PermitRootLogin no'-option is only a little barrier. instead of one pw
> the attacker has to get two passwords.
And a username. Depending on the attacker and the site, that may or may
not be trivial.
At least some of the boxes I look after with SSH running have usernames
that don't appear in dictionaries or Google, and aren't widely known
outside the company. It means that an attacker has to get to know one of
the users.
They're not really "another password", but they're another hoop for
people to jump through.
James.
--
E-mail address: james | Real people: People who live "out there" in the "real
@westexe.demon.co.uk | world". Politicians at election time are obsessed with
| meeting this exotic species, even though it always
| seems to be surrounded by camera crews and reporters.
| -- BBC News
