grim wrote:
if the passwords are as weak as roland's seems to be the 'PermitRootLogin no'-option is only a little barrier. instead of one pw the attacker has to get two passwords.
And a username. Depending on the attacker and the site, that may or may not be trivial.
At least some of the boxes I look after with SSH running have usernames that don't appear in dictionaries or Google, and aren't widely known outside the company. It means that an attacker has to get to know one of the users.
Do they appear in email addresses?
They're not really "another password", but they're another hoop for people to jump through.
TPG (an Oz IAP) had niterider dialup accounts for a while, free of charge but usage mindnight to dawm. I signed up for seven hours a day of downloading whatever I wanted for free. I used the password generator in expect to generate both my user name and password:-)
--
Cheers John
-- spambait 1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
