Script Kiddies...

A few years ago I had what I thought was a very original root password hacked on another server and that taught me a few things. I am still enjoying this new MacOSX Server that this all runs on very much but am dismayed to see my log files filling up with attempts to log in as root! I have a new root password generated to be immune to dictionary attacks at least (which is how the last one was found, you cannot use any combination of dictionary words or you'll eventually be cracked simply by the brute force method that these guys use)

So to sort things out I've disabled root login on the machine completely, and changed the maximum retires for a password to 2. Seems that setting it to 1 makes it impossible for you to signon at all. This is vaguely important if you're doing the reset remotely as you'll find yourself locked out if you set it to 1.

The configuration on OSX Server is in /etc/sshd_config you can use any editor that makes you happy to edit it, but you must be root to edit it. It may be in your best interests to make a backup copy of the original file too incase your editor converts the line endings or something that breaks it completely.

The lines in question are:

#PermitRootLogin yes

#MaxAuthTries 6

They are both commented out by default, so you'll have to remove the # in front first, then change the first to no and the second to 2. Once you do this and resave the file you'll need to restart the sshd program. You can probably do this by sending it an -HUP from the command line, but I just logged in via ARD and stopped and restarted remote login via the sharing pane of system preferences.

That will give the script kiddies only 1 change to log in before they get disconnected and have to retry, and it will always fail as long as they are using root as the user name.

Even on a Mac if you set your root user password to something stupid and have root login turned on you will eventually get broken into, it's just a matter of time.