LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-11-2006, 11:52 AM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Rep: Reputation: 75
Disable Root Login Via SSH = Why?


OK - so I was told that when my machine has the SSH server (not client) running, it is best practice to disable "permit root login". I did this but I don't really see the point. If someone can login to your machine via SSH as root, SSH is the least of your problems, no? Is they can hack your root password, how is your user password any safer? Sure they can hack bill's password on the server but then "Bill" really can't do anything to destroy the box but they can "su" and then attack if they get the password, no?

Can someone please help me here to understand if this is a safe method or just scare tactics.
 
Old 10-11-2006, 12:05 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 269Reputation: 269Reputation: 269
You've hit the nail on the head already. It's just an extra step. If they hack bill's password they can only be bill. To su, they also have to hack root's password. If you enable root login via ssh, they now only need one password to completely take over your box.

Now if you do something silly like allow bill total root access through sudo, then they can easily just be root by hacking bill. But really, sudo should be used to setup only those commands that bill really needs to have access to as root.
 
Old 10-11-2006, 12:10 PM   #3
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
It's just getting you into the right mindset.

Root should ONLY be used for in-front-of-the-actual-server, critical administration tasks that cannot be performed any other way.

Plus, even if Bob can su to root, they likely will not have the same password so you've just doubled the work of any potential password-guesser.

It's not a MAJOR security problem, it's more good practice and another little blockade in the way of someone getting root.

In some cases, you HAVE to allow root via SSH - dedicated servers in remote locations etc. - but the main point is, if there's no NEED to have root be able to login remotely, then it's safer just to turn off that capability entirely.

In the same way, the firewall on a server will stop any access/attacks on ports you don't want to expose (Samba, NFS etc.) but to also stop any server process running that you DON'T NEED is just an extra line in the defense.
 
Old 10-11-2006, 12:13 PM   #4
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 75
Thanks for the info all!
 
Old 10-11-2006, 12:32 PM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970
in addition they would know that the root user exists in the first place. why should anyone out there know your user account is called carlwill or something. unless you have that username blatantly advertised you almost have a conceptual password there too. you will get the same response from the ssh server if a user does not exist, or if a real user has tried to log in with the wrong password. let's say you have 1,000,000 possible usernames, and you have 1,000,000 possible passwords. therefore you have 1,000,000,000,000 username/password combinations. that's one BIG dictionary attack....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Disable Root login via ssh UltraSoul Solaris / OpenSolaris 3 02-09-2007 02:18 AM
disable root login via ssh with one exeption inoxtech Linux - Security 3 06-30-2005 11:28 AM
disable root login with ssh linuxtesting2 Slackware 3 02-16-2005 12:33 PM
How can I disable root login with SSH? blk96gt Slackware 9 10-02-2004 07:09 AM
SSH/Telnet, disable root login, how? muhazam Linux - Security 6 08-17-2004 12:49 PM


All times are GMT -5. The time now is 02:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration