Re: Allowing remote root login seems to be bad. Why?

---

• From: David Rosenstrauch <darose@xxxxxxxxxx>
• Date: Mon, 02 Jun 2008 11:57:43 -0400

---

Ron Arts wrote:

Hi,

today I found that different Linux distributions have various
policies regarding allowing remote root access. For example,
The Redhat/Fedora crowd seems to enable this on default installs,
but the Debian/Ubuntu don't, they recommend sudo.

I googled around but could not find why fedora allows it, and the
debian people just seem to have one reason: 'allowing remote root
access is bad, everybody knows that'.

Suppose I ensure that root has a very strong password, then does
it really matter either way?

Thanks,
Ron

Script kiddies are constantly scouring the Net looking to crack the root account on boxes that they find. If you disable remote root access, you remove this threat. Then the attacker would have to be able to guess both a non-obvious username AND a non-obvious password in order to gain access to your box. Wouldn't a strong root password remove the threat anyway, though? Probably. But why take the chance? By disallowing remote root access, you remove this line of attack, and really don't inconvenience yourself very much by doing so, since you can easily perform root-level functions from your user account using sudo.

In fact, I strongly recommend the use of sudo in general. It's generally a bad idea to sign in as root anyway, partly for security reasons, but also partly so that if you accidentally do something stupid like "rm -rf /" it won't have catastrophic consequences. Better to just log in as your user account, and then briefly elevate to root privileges using sudo when needed.

DR

---

• References:
  • Allowing remote root login seems to be bad. Why?
    • From: Ron Arts

• Prev by Date: RE: Allowing remote root login seems to be bad. Why?
• Next by Date: RE: Allowing remote root login seems to be bad. Why?
• Previous by thread: Re: Allowing remote root login seems to be bad. Why?
• Next by thread: Re: Allowing remote root login seems to be bad. Why?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: theoretical question - can roots username be changed? ... A constant suggestion I've read is to block root ... > logins and use sudo. ... have different passwords on different servers. ... This means that breaking in with a regular user account does not give ... (Fedora) Re: (no subject) ... help yourself with 'sudo'. ... HTP... ... What I really need is a single user account that has ... > ability to su to any user on the system other than root. ... (RedHat) Re: What cant sudo do? ... > about someone gaining access to your user account (man sudo). ... So in that case you still need to su root for some tasks. ... Do you feel like your own account has too many privileges? ... (Debian-User) Followup on the Dual HD + RAID1 challenge ... out to be a tough one. ... configured as RAID-1, and disable some of the RAID-1 partitions and ... just remote root access through SSH] ... I boot the machine, login as root, unmount /home, ... (comp.os.linux.setup) Re: Can login using root password, but not remotely with SSH ... PAM authentication error for root from 192.168.XXX.XXX ... Remote root access is denied by default because of safety concerns. ... (freebsd-questions)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > Secure_Shell  > 2008-06