Re: Allowing remote root login seems to be bad. Why?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kosala Atapattu さんは書きました:
| On Tue, Jun 3, 2008 at 11:21 PM, David Edwards
<DEdwards@xxxxxxxxxxx> wrote:
|> Ron,
|>
|> I do agree that allowing root access in some cases does make sense.
|
| Are we missing something. Tell me that I don't understand something
| here. How can a user doing "su -" and jumping to root after login with
| a regular user be different from login with direct root.
|

The key difference is that they are not logging in as root. There are
more hoops to jump through before they can even try.

The majority of attempts on my boxen are to try to log in as root. All
the rest are attempts to log in to non-existent accounts. fail2ban
slows down the attempts. There appears to be a flaw in the botnet(s)
that causes it to repeat already failed attempts several times so
fail2ban helps helps greatly to impede their progress.

It seems that su is risky. It should have more restrictions built into
it, perhaps some kind of access control like sudo has. Some admins
remove or rename su, put it in a wrapper or set permissions to permit
only root and/or certain users to use it. A log watching script can
nail users who use su too much or have many failed su attempts.


==
- --
jd

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFISUBkhpL3F+HeDrIRAvznAKCGr5w4Aa5VEPTonRn1cGDrBhZROQCeNHl6
pn83HOroyWIsA4pJuGZ72kk=
=GoQ+
-----END PGP SIGNATURE-----



Relevant Pages

  • SUMMARY: CONSOLE setting in /etc/default/login file
    ... This prevents allowing users to login directly as root. ... Direct root access to the console is recommended for emergency situations ... The only way to gain root access is to login as a normal user, ...
    (SunManagers)
  • Re: root | su
    ... him why what he's doing is improper or foolish, or simply pull his root ... If this is a work-related incident, talk to your boss ... complete tool -- imagine Dilbert's boss with basic UNIX CLI and "how to ... didn't have root access to determine what the problem was, ...
    (freebsd-questions)
  • Re: Choosing a distribution
    ... 'sudo bash' where I haven't had a proper root account to work with. ... cracked and hence give the intruder root access. ...
    (Ubuntu)
  • Re: Emergency! please help with file system access issue
    ... My friend was a security expert so I am sure ... > you now have root access and can change the password. ... Some systems are configured to ask for root password if you type "linux 1". ...
    (comp.os.linux.security)
  • Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
    ... In environments where more than 1 person has root access, ... about half the accounts I have. ... Using a key-based root login, ...
    (Full-Disclosure)