Re: Allowing remote root login seems to be bad. Why?



Ron Arts wrote:
Hi,

today I found that different Linux distributions have various
policies regarding allowing remote root access. For example,
The Redhat/Fedora crowd seems to enable this on default installs,
but the Debian/Ubuntu don't, they recommend sudo.

I googled around but could not find why fedora allows it, and the
debian people just seem to have one reason: 'allowing remote root
access is bad, everybody knows that'.

Suppose I ensure that root has a very strong password, then does
it really matter either way?

Thanks,
Ron

Script kiddies are constantly scouring the Net looking to crack the root account on boxes that they find. If you disable remote root access, you remove this threat. Then the attacker would have to be able to guess both a non-obvious username AND a non-obvious password in order to gain access to your box. Wouldn't a strong root password remove the threat anyway, though? Probably. But why take the chance? By disallowing remote root access, you remove this line of attack, and really don't inconvenience yourself very much by doing so, since you can easily perform root-level functions from your user account using sudo.

In fact, I strongly recommend the use of sudo in general. It's generally a bad idea to sign in as root anyway, partly for security reasons, but also partly so that if you accidentally do something stupid like "rm -rf /" it won't have catastrophic consequences. Better to just log in as your user account, and then briefly elevate to root privileges using sudo when needed.

DR



Relevant Pages

  • Re: audacity export wma format[1 more question]
    ... default now comes with sudo enabled. ... The user either chooses to enter a root password and also a user ... install time only a user account and user password is input, ... So whether it is set up after an install ...
    (Debian-User)
  • Re: theoretical question - can roots username be changed?
    ... A constant suggestion I've read is to block root ... > logins and use sudo. ... have different passwords on different servers. ... This means that breaking in with a regular user account does not give ...
    (Fedora)
  • Re: Reporting missing package during install
    ... Any user account opens the door to the root ... Trojan in a user account. ... using their own account than they are with the root one. ... The Trojan could exploit sudo to gain access to the root account by ...
    (Debian-User)
  • Re: (no subject)
    ... help yourself with 'sudo'. ... HTP... ... What I really need is a single user account that has ... > ability to su to any user on the system other than root. ...
    (RedHat)
  • Re: What cant sudo do?
    ... > about someone gaining access to your user account (man sudo). ... So in that case you still need to su root for some tasks. ... Do you feel like your own account has too many privileges? ...
    (Debian-User)