Page 1 of 1
Bad practice perhaps but considering?
Posted: Sun Nov 30, 2008 6:22 pm
by alex.barylski
I have a Debina box which has two user accounts which are active -- in the sense they allow logins.
This computer sits behind a router for the most part but will be occassionally opened to the world.
I disabled root login by modiying the SSHD config file and I can no longer login as root remotely from any computer, even within my NAT router network.
The user account is a toally random 12 character password which I needed to record cause I'd never remember
Anyways...occassionally I want to install something or whatever and would prefer to leave the root password blank or something simple like password. Seeing as no one will be able to login directly as root, remotely anyways, would this be bad practice?
On second thought...I guess all they would have to do is login to my user account and SU into root...
Although honestly, I'd be surprised if anyone crackered a 12 character random password that contained symbols, characters and numbers...in which case...with that kind of determination...I couldn't stop them even if I wanted to
Normally, on a live server I wouldn't do this, but because the server and my computer are behind a NAT router and the SSH ports aren't even open (I don't htink -- how do I confirm that?) I'm not even sure I should be that worried about strong psaswords, never mind disabling root login. What says you? Give my situation?
Cheers,
Alex
Re: Bad practice perhaps but considering?
Posted: Sun Nov 30, 2008 6:38 pm
by Kieran Huggins
Security only needs to be as strong as the value of what you're protecting. It's really up to you.
I'd still use a root password, though.
Re: Bad practice perhaps but considering?
Posted: Sun Nov 30, 2008 7:29 pm
by alex.barylski
Protecting my pride and joy and several years of hard work.
To me it's worth billions to anyone else...it's worth nothing...
Re: Bad practice perhaps but considering?
Posted: Mon Dec 01, 2008 3:16 am
by VladSun
viewtopic.php?f=30&t=81218 
You still need a strong root password.
I disabled root login by modiying the SSHD config file and I can no longer login as root remotely from any computer, even within my NAT router network.
I'm not sure what do you mean by that, but any non privileged user can use
su, login etc. commands.
Normally, on a live server I wouldn't do this, but because the server and my computer are behind a NAT router and the SSH ports aren't even open (I don't htink -- how do I confirm that?)
Give me your IP

Re: Bad practice perhaps but considering?
Posted: Mon Dec 01, 2008 4:43 am
by Jenk
why can't you just do what everyone else does, and login via SSH on your normal account, then "su -" to root, or use "sudo" ?
Re: Bad practice perhaps but considering?
Posted: Mon Dec 01, 2008 6:12 am
by VladSun
Jenk wrote:why can't you just do what everyone else does, and login via SSH on your normal account, then "su -" to root, or use "sudo" ?
Yes, properly configured sudo will be the best choice. You should never trust an end-user

Re: Bad practice perhaps but considering?
Posted: Mon Dec 01, 2008 4:34 pm
by Doug G
Normally, on a live server I wouldn't do this, but because the server and my computer are behind a NAT router and the SSH ports aren't even open (I don't htink -- how do I confirm that?) I'm not even sure I should be that worried about strong psaswords, never mind disabling root login. What says you? Give my situation?
You can visit
http://www.grc.com and run his Shields Up test to check what's open on your computer.
Re: Bad practice perhaps but considering?
Posted: Mon Dec 01, 2008 5:58 pm
by alex.barylski
I realize security is important but I don't believe it to be an all or nothing scenario. There would be little point in setting up a firewall if your computer never connected to the Internet or a network and run from a battery, would there?
why can't you just do what everyone else does, and login via SSH on your normal account, then "su -" to root, or use "sudo" ?
Because it's a PITA to constantly do that everytime I need to make a change or install something or whatever...considering I'm behind a router and it's NOT configured to allow ssh, I see no point in using strong passwords and following proper protocol.
Why can't you just answer my question instead of questioning my motives?
Show me
HOW you would get around a NAT router and I'll follow your advice blindly...
@VladSun: I don't want to give you my IP just yet...although I will one day...if you wouldn't mind.
I am very curious to know how a SSH exploit be carried out though, if the ports are not open, does this not solve the issue of secure passwords?
As I understand it, if only port 80 (HTTP) requests and responses are allowed, the best an attacker could accomplish is find a hole in a script and execute arbitrary code under user no-body. I am 99% certain there are no holes in my software (I have no other software installed -- such as phpMyAdmin, etc) so HTTP attacks are unlikely as that domain is well understood.
I am genuinely curious though...until I open the ports for SSH (or other services) how in the world does a weak password comprimise my system? The more practical you can make it the better, theory is great but evidence is better.
Cheers,
Alex
Re: Bad practice perhaps but considering?
Posted: Mon Dec 01, 2008 6:10 pm
by alex.barylski
Re-reading this it has come to my attention that maybe some of you mis-understood the setup or requirements.
Basically I have several computers behind a NAT router.
One is a Debian which acts as a HTTP server and it's IP address what I forward port 80 requests onto "when" that port is open...which usually is NOT open.
Internally I can access that server via it's IP address but without the port open...I have never been able to access the IP and see the web site/pages.
When I run a port scanner on my IP the only ports reported open are HTTP and DNS.
http://whatsmyip.org/ports/
There are no users other than me...I don't ever use sudo and only once have I regretted it.

Because it's just me I don't care for logs, etc...
My dedicated server is configured entirely different...i'm not questioning accepted best practice(s) -- I'm asking if those practices are nessecary given my NAT router setup and my understanding of protocols and network security.
I simply fail to see how anything coule be exploited given the intereception of packets by the router before anything even gets a chance to see it.
Re: Bad practice perhaps but considering?
Posted: Mon Dec 01, 2008 6:18 pm
by VladSun
PCSpectra wrote:I am very curious to know how a SSH exploit be carried out though, if the ports are not open, does this not solve the issue of secure passwords?
As I understand it, if only port 80 (HTTP) requests and responses are allowed, the best an attacker could accomplish is find a hole in a script and execute arbitrary code under user no-body. I am 99% certain there are no holes in my software (I have no other software installed -- such as phpMyAdmin, etc) so HTTP attacks are unlikely as that domain is well understood.
I am genuinely curious though...until I open the ports for SSH (or other services) how in the world does a weak password comprimise my system? The more practical you can make it the better, theory is great but evidence is better.
You are right - in general

Now imagine a PHP script security hole and a weak root password:
Code: Select all
<?php
$connection = ssh2_connect('localhost', 22);
ssh2_auth_password($connection, 'root', 'weak_password');
$stream = ssh2_exec($connection, 'rm -rf /');
?>

Re: Bad practice perhaps but considering?
Posted: Mon Dec 01, 2008 7:25 pm
by alex.barylski
Now imagine a PHP script security hole and a weak root password:
I was hoping that was the answer.
