From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com [209.85.208.170]) by gnuweeb.org (Postfix) with ESMTPS id 9F90C7E375 for ; Fri, 15 Apr 2022 17:29:55 +0000 (UTC) Authentication-Results: gnuweeb.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=jrKRTW8i; dkim-atps=neutral Received: by mail-lj1-f170.google.com with SMTP id f5so2603853ljp.8 for ; Fri, 15 Apr 2022 10:29:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YFRIH0/cfFX4bVwyIQlPb8NPuePzb9LDpKOgTQe5KQ4=; b=jrKRTW8iQ/cnnzm0WvtGNUp9bgRgM2vT86j515FwFjjJqm30nvghJaAqirlBxvijMk sTmDH/kBIQEEGD75aH5L+2PLG1DPhWzIyUYLt1RNMKfSzeY2rKfCsSp0CDxXTpqgc7+M zKo09DMtbmlK5bQsm8DsKvbSF0P0D+ravlnphDOY+0Vg0tduFJDUt61Z/baM/eEhOjCO zBhy6jKatsv579QH1oY4tyFLtC6dsIkdR+bu3uKJyP3AsiHLslrosZDliv9wRYVzyhij I/MXi2oSvc8cxNjCBddg57eBW0wTPYnRqz7KNBv94YFHnSl8DLlBiOCMXwBHAExZmGlk mWXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YFRIH0/cfFX4bVwyIQlPb8NPuePzb9LDpKOgTQe5KQ4=; b=cM4K7+ryfatcd3GLAyHrOZKSSxj8mf7f+eoVkARnqnWDhlYQPdxt6hYGMIeERpIHqn +OLtsjcrGap3Lpt0xGRmySnnq+40vLqs6VoLpyMZsSQABtdGb7tTLy7xFVWtTwsYFBr/ m95DNXGs86fVoifiHUuz6YO0Ctws2sj76WQdDHT4x9iao49NtKKzfCefJkprEwAB+rnP dbIY9eX57/3zaPLQS5N0pUG1syzeZdzZszCFFeve26gOVkfLCq9NjVZzRY5GM6/u2Aw6 ut9LCdWjThGTqUG9pOCEs2WMn6xJGjTEwXXDbTK31GSBtmYyj79jBXNe7I45xAJRtpuv 3xrg== X-Gm-Message-State: AOAM530QBbiUnvTu4HTIzQKY74r1F1gUzTp7w8WDu3wjYcW8i/TpZ5tl Iqmczvvn6BA0nZeuog+YtV+CQO79IQVyC2fxroIkoif0XfvbDw== X-Google-Smtp-Source: ABdhPJyHB4DoBITkhmeS20Qct3KSmSNxJ5pV9mkIEsQx7eZ00oMBE4r+jk2EzC0jeEIHMD8YhzP6SANt34j3AsAH18M= X-Received: by 2002:a2e:b8d1:0:b0:24b:16a3:ed9d with SMTP id s17-20020a2eb8d1000000b0024b16a3ed9dmr84505ljp.393.1650043793499; Fri, 15 Apr 2022 10:29:53 -0700 (PDT) MIME-Version: 1.0 References: <20220415171554.35696-1-ammarfaizi2@gnuweeb.org> <20220415171554.35696-2-ammarfaizi2@gnuweeb.org> In-Reply-To: <20220415171554.35696-2-ammarfaizi2@gnuweeb.org> From: Alviro Iskandar Setiawan Date: Sat, 16 Apr 2022 00:29:42 +0700 Message-ID: Subject: Re: [PATCH server-a001 v1 1/1] Apply default SSH config and add public keys To: Ammar Faizi Cc: "GNU/Weeb Mailing List" , Hazmi Alfarizqi , Alviro Iskandar Setiawan Content-Type: text/plain; charset="UTF-8" List-Id: On Sat, Apr 16, 2022 at 12:16 AM Ammar Faizi wrote: > > 1) Set the default port to 48589, don't use port 22 since we will > inevitably get brute-force SSH attack from random botnets. Even if > it's not really a concern if we're using a private key for the auth, > let's not spam our auth log with many login failed lines. The sshd_config in this patch doesn't disable the password auth, tho This: > +PermitRootLogin prohibit-password only disables password auth for root, you're still asked to enter the password, but it will never work for root even if the root password is correct. However, if the login user is not root, the password auth is still valid. > +# To disable tunneled clear text passwords, change to no here! > +#PasswordAuthentication yes This should be set to "no" to really disable password auth. -- Viro