Bad practice perhaps but considering?

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Bad practice perhaps but considering?

Post by alex.barylski »

I have a Debina box which has two user accounts which are active -- in the sense they allow logins.

This computer sits behind a router for the most part but will be occassionally opened to the world.

I disabled root login by modiying the SSHD config file and I can no longer login as root remotely from any computer, even within my NAT router network. :D

The user account is a toally random 12 character password which I needed to record cause I'd never remember :P

Anyways...occassionally I want to install something or whatever and would prefer to leave the root password blank or something simple like password. Seeing as no one will be able to login directly as root, remotely anyways, would this be bad practice?

On second thought...I guess all they would have to do is login to my user account and SU into root...

Although honestly, I'd be surprised if anyone crackered a 12 character random password that contained symbols, characters and numbers...in which case...with that kind of determination...I couldn't stop them even if I wanted to :)

Normally, on a live server I wouldn't do this, but because the server and my computer are behind a NAT router and the SSH ports aren't even open (I don't htink -- how do I confirm that?) I'm not even sure I should be that worried about strong psaswords, never mind disabling root login. What says you? Give my situation?

Cheers,
Alex
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Re: Bad practice perhaps but considering?

Post by Kieran Huggins »

Security only needs to be as strong as the value of what you're protecting. It's really up to you.

I'd still use a root password, though.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Bad practice perhaps but considering?

Post by alex.barylski »

Protecting my pride and joy and several years of hard work. :P

To me it's worth billions to anyone else...it's worth nothing...
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Bad practice perhaps but considering?

Post by VladSun »

viewtopic.php?f=30&t=81218 ;)
You still need a strong root password.
I disabled root login by modiying the SSHD config file and I can no longer login as root remotely from any computer, even within my NAT router network.
I'm not sure what do you mean by that, but any non privileged user can use su, login etc. commands.
Normally, on a live server I wouldn't do this, but because the server and my computer are behind a NAT router and the SSH ports aren't even open (I don't htink -- how do I confirm that?)
Give me your IP :twisted: :twisted: :twisted: :lol:
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: Bad practice perhaps but considering?

Post by Jenk »

why can't you just do what everyone else does, and login via SSH on your normal account, then "su -" to root, or use "sudo" ?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Bad practice perhaps but considering?

Post by VladSun »

Jenk wrote:why can't you just do what everyone else does, and login via SSH on your normal account, then "su -" to root, or use "sudo" ?
Yes, properly configured sudo will be the best choice. You should never trust an end-user ;)
There are 10 types of people in this world, those who understand binary and those who don't
Doug G
Forum Contributor
Posts: 282
Joined: Sun Sep 09, 2007 6:27 pm

Re: Bad practice perhaps but considering?

Post by Doug G »

Normally, on a live server I wouldn't do this, but because the server and my computer are behind a NAT router and the SSH ports aren't even open (I don't htink -- how do I confirm that?) I'm not even sure I should be that worried about strong psaswords, never mind disabling root login. What says you? Give my situation?
You can visit http://www.grc.com and run his Shields Up test to check what's open on your computer.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Bad practice perhaps but considering?

Post by alex.barylski »

I realize security is important but I don't believe it to be an all or nothing scenario. There would be little point in setting up a firewall if your computer never connected to the Internet or a network and run from a battery, would there?
why can't you just do what everyone else does, and login via SSH on your normal account, then "su -" to root, or use "sudo" ?
Because it's a PITA to constantly do that everytime I need to make a change or install something or whatever...considering I'm behind a router and it's NOT configured to allow ssh, I see no point in using strong passwords and following proper protocol.

Why can't you just answer my question instead of questioning my motives? :P

Show me HOW you would get around a NAT router and I'll follow your advice blindly...

@VladSun: I don't want to give you my IP just yet...although I will one day...if you wouldn't mind. :P

I am very curious to know how a SSH exploit be carried out though, if the ports are not open, does this not solve the issue of secure passwords?

As I understand it, if only port 80 (HTTP) requests and responses are allowed, the best an attacker could accomplish is find a hole in a script and execute arbitrary code under user no-body. I am 99% certain there are no holes in my software (I have no other software installed -- such as phpMyAdmin, etc) so HTTP attacks are unlikely as that domain is well understood.

I am genuinely curious though...until I open the ports for SSH (or other services) how in the world does a weak password comprimise my system? The more practical you can make it the better, theory is great but evidence is better.

Cheers,
Alex
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Bad practice perhaps but considering?

Post by alex.barylski »

Re-reading this it has come to my attention that maybe some of you mis-understood the setup or requirements.

Basically I have several computers behind a NAT router.

One is a Debian which acts as a HTTP server and it's IP address what I forward port 80 requests onto "when" that port is open...which usually is NOT open.

Internally I can access that server via it's IP address but without the port open...I have never been able to access the IP and see the web site/pages.

When I run a port scanner on my IP the only ports reported open are HTTP and DNS.

http://whatsmyip.org/ports/

There are no users other than me...I don't ever use sudo and only once have I regretted it. :P Because it's just me I don't care for logs, etc...

My dedicated server is configured entirely different...i'm not questioning accepted best practice(s) -- I'm asking if those practices are nessecary given my NAT router setup and my understanding of protocols and network security.

I simply fail to see how anything coule be exploited given the intereception of packets by the router before anything even gets a chance to see it.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Bad practice perhaps but considering?

Post by VladSun »

PCSpectra wrote:I am very curious to know how a SSH exploit be carried out though, if the ports are not open, does this not solve the issue of secure passwords?

As I understand it, if only port 80 (HTTP) requests and responses are allowed, the best an attacker could accomplish is find a hole in a script and execute arbitrary code under user no-body. I am 99% certain there are no holes in my software (I have no other software installed -- such as phpMyAdmin, etc) so HTTP attacks are unlikely as that domain is well understood.

I am genuinely curious though...until I open the ports for SSH (or other services) how in the world does a weak password comprimise my system? The more practical you can make it the better, theory is great but evidence is better.
You are right - in general :)
Now imagine a PHP script security hole and a weak root password:

Code: Select all

<?php
$connection = ssh2_connect('localhost', 22);
ssh2_auth_password($connection, 'root', 'weak_password');
$stream = ssh2_exec($connection, 'rm -rf /');
?>
;)
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Bad practice perhaps but considering?

Post by alex.barylski »

Now imagine a PHP script security hole and a weak root password:
I was hoping that was the answer. :)
Post Reply