Re: Allowing remote root login seems to be bad. Why? (SUMMARY)



If I may chime in a bit late...

On Tue, 2008-06-03 at 13:18 -0700, Ben Ford wrote:
Very weak security model.


I think it deserves more credit than that. This will neutralize most
attacks where the attacker doesn't know what IP address you do or don't
allow in.

On Wed, 2008-06-04 at 08:51 +0200, Ron Arts wrote:
Stated differently: will dictionary attacks always succeed?


It depends on the dictionary :) but to generalize: every password can be guessed.

On Fri, 2008-06-06 at 03:17 -0700, Bond Masuda wrote:
In my experience, using public key authentication is often more of a
security risk, depending on the situation. If the remote machine that
holds the private key (and some store this with no password for
convenience) is compromised, they immediately have an open door into
your server. You may have no control how passwords are enforced,
updates
are applied, or if any security is implemented on the remote end.
Setting up public key authentication, in effect extends your "trust
domain" to a server that may not be so trust worthy. To me, it makes
more sense to rely on security I can control. (which is often not the
case if it is some other user's office desktop or workstation)

-Bond

I just want to point out that the same argument can usually be applied
to password-based authentication. There are a number of ways that a
compromised workstation will compromise their password, too: keyloggers
being the first that comes to mind. I bet there's a lot more malware
out there that looks for passwords going into password fields than
malware that looks for private keys.

I guess it could go either way, but I still think you've got better odds
with key-based authentication.


On Mon, 2008-06-02 at 10:29 +0200, Ron Arts wrote:
Hi,

<Ron's original post>


To respond to your original question, Ron, consider that security is
not a switch but a scale. There's always things you could be doing
better, or worse. Usually the biggest thing to consider is risk versus
inconvenience, because security almost always comes at the cost of
convenience.

If you're looking for an academic answer to why remote root login is
bad, it's been answered a few times over: it's not bad, but it could be
better. Non-privileged login + sudo means having to guess a username
+password combination, plus a second password, as opposed to having to
just guess a password.

If you're interested in a more practical answer, consider the how
inconvenient it is to have to login as jdoe and then su into root. In
my opinion, it's not. It takes me an extra 3 or 4 seconds at the
beginning of an SSH session. Whenever I have the choice, I stick with
no root login because the gain is high, the cost is low. So I guess my
response to "Why" is "Why not?"

Hope that was beneficial,

Mark



Relevant Pages

  • [NEWS] Watchguard Firebox PPTP VPN User Enumeration Vulnerability
    ... Get your security news from a reliable source. ... The PPTP VPN service offered by Watchguard Firebox allows valid usernames ... The PPTP VPN service uses MS-CHAPv2 for authentication. ... engineering attacks, as knowledge of valid usernames may allow an attacker ...
    (Securiteam)
  • RE: [fw-wiz] Outlook Web Access - Paranoid?
    ... On the Whale web site there is good documentation about the security flaws ... It describes OWA security issues in detail including some problems not ... Such filtering should protect not only against attacks utilizing known ... the issue of authentication is also significant. ...
    (Firewall-Wizards)
  • Solaris Security Summary
    ... Administering Security on the Solaris OE ... Configuration control, facility management, and system ... Authentication: The ability to prove who you are. ...
    (comp.unix.solaris)
  • Risks Digest 27.16
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Security Firm Bit9 Hacked, Used to Spread Malware Security Firm ... Super Bowl blackout was caused by electrical relay ... The timing of the attacks coincided ...
    (comp.risks)
  • Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
    ... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
    (soc.retirement)