SSH as root, why not?

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

SSH as root, why not?

Post by alex.barylski »

The obvious answer I am aware of, but if you allow remote login via a user, where is the difference if you also allow sudo/su???

Why couldn't an attacker login first as a user through SSH, then login as root using 'su' right after, which is what I have to do when I need to install applications or perform some root maintenance anyways.

Other than no logging for root (so I understand) where is the security benefit in enforcing this policy if I am the only one ever logging into the system via SSH?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: SSH as root, why not?

Post by Jenk »

For logging and auditing purposes. SarBox, for example, prohibits root logins. Switching to root once logged in is fine, you have a trace of who switched. Logging in as root, you do not.

It also adds an extra layer of security. If you allow root to login, the "hacker" has one stage already completed - the username. If you disallow it, they must first work out a username, then a password.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: SSH as root, why not?

Post by pickle »

If sudo is set up properly, the hacker still needs 2 passwords to get su privileges.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Doug G
Forum Contributor
Posts: 282
Joined: Sun Sep 09, 2007 6:27 pm

Re: SSH as root, why not?

Post by Doug G »

pickle wrote:If sudo is set up properly, the hacker still needs 2 passwords to get su privileges.
Not really. If the hacker gets in via ssh as root, I don't think they need another password, they are already root :)

Ditto everything Jenk said.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: SSH as root, why not?

Post by VladSun »

Doug G wrote:
pickle wrote:If sudo is set up properly, the hacker still needs 2 passwords to get su privileges.
Not really. If the hacker gets in via ssh as root, I don't think they need another password, they are already root :)

Ditto everything Jenk said.
I think you misunderstood what pickle meant.. The case is: No root login permitted via SSH, so one would need two passwords to get root.

@Hockey
There are several ways you can secure SSH:
1) PermitRootLogin No :)
2) Permit ssh protocol ver.2 only
3) Use key authorization instead of password whenever possible
2) Change the port SSH daemon listen on to none standard one - e.g. port 345
3) Set up an firewall rules to protect against brute force attacks.
Example:

Code: Select all

 
iptables -N SSH
iptables -I INPUT -p tcp --dport 22 --syn -j SSH
iptables -A SSH -p tcp -s 127.0.0.1 -j RETURN
iptables -A SSH -p tcp --syn --dport 22 -m recent --name bad_ssh --update --seconds 60 -j DROP
iptables -A SSH -p tcp --syn --dport 22 -m recent --name bad_ssh --set -j RETURN
 
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: SSH as root, why not?

Post by Chris Corbyn »

VladSun wrote:1) PermitRootLogin No :)
2) Permit ssh protocol ver.2 only
3) Use key authorization instead of password whenever possible
2) Change the port SSH daemon listen on to none standard one - e.g. port 345
3) Set up an firewall rules to protect against brute force attacks.
Apparently we have a new series of numbers :)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: SSH as root, why not?

Post by VladSun »

LOL.
OK, I'll tell you the secret - it's new, it's "pi" based, but still have some problems with rounding errors, when viewed as the old fashioned 10 base numeric system :P
There are 10 types of people in this world, those who understand binary and those who don't
Doug G
Forum Contributor
Posts: 282
Joined: Sun Sep 09, 2007 6:27 pm

Re: SSH as root, why not?

Post by Doug G »

I think you misunderstood what pickle meant.. The case is: No root login permitted via SSH, so one would need two passwords to get root.
The question was about allowing or not allowing ssh root logins, not how to gain root after a succesful login as another user, and that's what I responded to (as did Jenk).
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: SSH as root, why not?

Post by VladSun »

Doug G wrote:
I think you misunderstood what pickle meant.. The case is: No root login permitted via SSH, so one would need two passwords to get root.
The question was about allowing or not allowing ssh root logins, not how to gain root after a succesful login as another user, and that's what I responded to (as did Jenk).
???
OK, let's have pickle answered this...
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
chaos
Forum Newbie
Posts: 22
Joined: Thu May 15, 2008 9:20 am
Location: New Jersey

Re: SSH as root, why not?

Post by chaos »

If your system is internet accessible, any of a million script kiddies can slowly attack your root account at their leisure, and given a long enough time frame with a static password, they will eventually succeed. There is more reason for this to happen because the name and permission level of the root account is well-known. If they have to attack another account, the difficulty of compromise is exponentially higher because they don't know your login name. They also don't know whether you have enough permissions to make compromise worth the effort. And why should they bother, really, when there are so many root accounts to work on?
Post Reply