Logging in as Root via ssh

mwalshe2000 · 09-23-2014, 04:51 PM

Hi,

as a relative newbie to Debian, I'm wondering if it's secure to connect as Root, via ssh?

Best Regards,

Michael

suicidaleggroll · 09-23-2014, 04:53 PM

Unless it's absolutely needed for whatever reason (and even then only on systems within a protected LAN), it's generally best to disable root ssh access in sshd. I certainly wouldn't enable root ssh access on a server with a public IP.

Think of it this way - if root ssh access is not allowed, then for an attacker to brute-force their way into root control of your system, they would need to solve three unknowns: 1) a valid user name on your system, 2) the password for that user, and then once they were on, 3) the root password. If root ssh access is allowed, then all an attacker needs to brute-force is the root password, which unless it's painfully complex, wouldn't be all that difficult if the system didn't have any denyhosts type auto-ban daemon running.

astrogeek · 09-23-2014, 04:56 PM

Quote:

Originally Posted by mwalshe2000

Hi,

as a relative newbie to Debian, I'm wondering if it's secure to connect as Root, via ssh?

Best Regards,

Michael

It is secure as in "ssh is an acronym for Secure SHell", but it is not good practice.

In general, you want to disable root logins via ssh because they they are a direct path to compromised systems. If disabled, an intruder must first crack the non-root user access, then still crack root access.

netnix99 · 09-23-2014, 04:57 PM

I agree with suicidaleggroll. Disable root login via ssh. If the admin(s) have to login as themselves, then SU to root; you get a log of what has taken place in /var/log/secure (on Red Hat & similar distros). This at least provides you the ability to track down who changed what and when.

suicidaleggroll · 09-23-2014, 05:12 PM

To give you an idea of why it's a bad idea, here's a little excerpt from my /var/log/secure from this morning:

Code:

Sep 23 06:43:03 chef sshd[16837]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.52.3  user=root
Sep 23 06:43:05 chef sshd[16837]: Failed password for root from 222.186.52.3 port 1282 ssh2
Sep 23 06:43:05 chef sshd[16838]: Connection closed by 222.186.52.3
Sep 23 06:43:36 chef sshd[16840]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.52.3  user=root
Sep 23 06:43:38 chef sshd[16840]: Failed password for root from 222.186.52.3 port 2263 ssh2
Sep 23 06:43:40 chef sshd[16841]: Connection closed by 222.186.52.3
Sep 23 06:43:59 chef sshd[16843]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.52.3  user=root
Sep 23 06:44:01 chef sshd[16843]: Failed password for root from 222.186.52.3 port 4133 ssh2
Sep 23 06:44:02 chef sshd[16844]: Connection closed by 222.186.52.3
Sep 23 06:44:04 chef sshd[16845]: refused connect from 222.186.52.3 (222.186.52.3)
Sep 23 06:44:13 chef sshd[16847]: refused connect from 222.186.52.3 (222.186.52.3)
Sep 23 06:44:20 chef sshd[16848]: refused connect from 222.186.52.3 (222.186.52.3)
Sep 23 06:44:26 chef sshd[16849]: refused connect from 222.186.52.3 (222.186.52.3)

This script kiddie had three tries, after that denyhosts kicked in and added their IP to hosts.deny, which means they are forever banned from my system. Of course I have root ssh disabled, but if I hadn't, and if I didn't have denyhosts or some other auto-ban system running, this person could just sit there and hammer my server until they managed to crack the root password. Maybe they would never crack it, maybe they would, but it's not a gamble I'm willing to take.

This server just had a new OS installed a hair over a month ago (Aug 16), and denyhosts has already thrown 230 IPs in the ban list for too many failed SSH attempts. The above excerpt is just the most recent one.