SSH as root, why not?
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
SSH as root, why not?
The obvious answer I am aware of, but if you allow remote login via a user, where is the difference if you also allow sudo/su???
Why couldn't an attacker login first as a user through SSH, then login as root using 'su' right after, which is what I have to do when I need to install applications or perform some root maintenance anyways.
Other than no logging for root (so I understand) where is the security benefit in enforcing this policy if I am the only one ever logging into the system via SSH?
Why couldn't an attacker login first as a user through SSH, then login as root using 'su' right after, which is what I have to do when I need to install applications or perform some root maintenance anyways.
Other than no logging for root (so I understand) where is the security benefit in enforcing this policy if I am the only one ever logging into the system via SSH?
Re: SSH as root, why not?
For logging and auditing purposes. SarBox, for example, prohibits root logins. Switching to root once logged in is fine, you have a trace of who switched. Logging in as root, you do not.
It also adds an extra layer of security. If you allow root to login, the "hacker" has one stage already completed - the username. If you disallow it, they must first work out a username, then a password.
It also adds an extra layer of security. If you allow root to login, the "hacker" has one stage already completed - the username. If you disallow it, they must first work out a username, then a password.
Re: SSH as root, why not?
If sudo is set up properly, the hacker still needs 2 passwords to get su privileges.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: SSH as root, why not?
Not really. If the hacker gets in via ssh as root, I don't think they need another password, they are already rootpickle wrote:If sudo is set up properly, the hacker still needs 2 passwords to get su privileges.
Ditto everything Jenk said.
Re: SSH as root, why not?
I think you misunderstood what pickle meant.. The case is: No root login permitted via SSH, so one would need two passwords to get root.Doug G wrote:Not really. If the hacker gets in via ssh as root, I don't think they need another password, they are already rootpickle wrote:If sudo is set up properly, the hacker still needs 2 passwords to get su privileges.
Ditto everything Jenk said.
@Hockey
There are several ways you can secure SSH:
1) PermitRootLogin No
2) Permit ssh protocol ver.2 only
3) Use key authorization instead of password whenever possible
2) Change the port SSH daemon listen on to none standard one - e.g. port 345
3) Set up an firewall rules to protect against brute force attacks.
Example:
Code: Select all
iptables -N SSH
iptables -I INPUT -p tcp --dport 22 --syn -j SSH
iptables -A SSH -p tcp -s 127.0.0.1 -j RETURN
iptables -A SSH -p tcp --syn --dport 22 -m recent --name bad_ssh --update --seconds 60 -j DROP
iptables -A SSH -p tcp --syn --dport 22 -m recent --name bad_ssh --set -j RETURN
There are 10 types of people in this world, those who understand binary and those who don't
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Re: SSH as root, why not?
Apparently we have a new series of numbersVladSun wrote:1) PermitRootLogin No
2) Permit ssh protocol ver.2 only
3) Use key authorization instead of password whenever possible
2) Change the port SSH daemon listen on to none standard one - e.g. port 345
3) Set up an firewall rules to protect against brute force attacks.
Re: SSH as root, why not?
LOL.
OK, I'll tell you the secret - it's new, it's "pi" based, but still have some problems with rounding errors, when viewed as the old fashioned 10 base numeric system
OK, I'll tell you the secret - it's new, it's "pi" based, but still have some problems with rounding errors, when viewed as the old fashioned 10 base numeric system
There are 10 types of people in this world, those who understand binary and those who don't
Re: SSH as root, why not?
The question was about allowing or not allowing ssh root logins, not how to gain root after a succesful login as another user, and that's what I responded to (as did Jenk).I think you misunderstood what pickle meant.. The case is: No root login permitted via SSH, so one would need two passwords to get root.
Re: SSH as root, why not?
???Doug G wrote:The question was about allowing or not allowing ssh root logins, not how to gain root after a succesful login as another user, and that's what I responded to (as did Jenk).I think you misunderstood what pickle meant.. The case is: No root login permitted via SSH, so one would need two passwords to get root.
OK, let's have pickle answered this...
There are 10 types of people in this world, those who understand binary and those who don't
Re: SSH as root, why not?
If your system is internet accessible, any of a million script kiddies can slowly attack your root account at their leisure, and given a long enough time frame with a static password, they will eventually succeed. There is more reason for this to happen because the name and permission level of the root account is well-known. If they have to attack another account, the difficulty of compromise is exponentially higher because they don't know your login name. They also don't know whether you have enough permissions to make compromise worth the effort. And why should they bother, really, when there are so many root accounts to work on?