Register a domain and help support LQ
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-11-2006, 12:52 PM   #1
Senior Member
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Rep: Reputation: 75
Disable Root Login Via SSH = Why?

OK - so I was told that when my machine has the SSH server (not client) running, it is best practice to disable "permit root login". I did this but I don't really see the point. If someone can login to your machine via SSH as root, SSH is the least of your problems, no? Is they can hack your root password, how is your user password any safer? Sure they can hack bill's password on the server but then "Bill" really can't do anything to destroy the box but they can "su" and then attack if they get the password, no?

Can someone please help me here to understand if this is a safe method or just scare tactics.
Old 10-11-2006, 01:05 PM   #2
LQ Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 269Reputation: 269Reputation: 269
You've hit the nail on the head already. It's just an extra step. If they hack bill's password they can only be bill. To su, they also have to hack root's password. If you enable root login via ssh, they now only need one password to completely take over your box.

Now if you do something silly like allow bill total root access through sudo, then they can easily just be root by hacking bill. But really, sudo should be used to setup only those commands that bill really needs to have access to as root.
Old 10-11-2006, 01:10 PM   #3
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
It's just getting you into the right mindset.

Root should ONLY be used for in-front-of-the-actual-server, critical administration tasks that cannot be performed any other way.

Plus, even if Bob can su to root, they likely will not have the same password so you've just doubled the work of any potential password-guesser.

It's not a MAJOR security problem, it's more good practice and another little blockade in the way of someone getting root.

In some cases, you HAVE to allow root via SSH - dedicated servers in remote locations etc. - but the main point is, if there's no NEED to have root be able to login remotely, then it's safer just to turn off that capability entirely.

In the same way, the firewall on a server will stop any access/attacks on ports you don't want to expose (Samba, NFS etc.) but to also stop any server process running that you DON'T NEED is just an extra line in the defense.
Old 10-11-2006, 01:13 PM   #4
Senior Member
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 75
Thanks for the info all!
Old 10-11-2006, 01:32 PM   #5
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971
in addition they would know that the root user exists in the first place. why should anyone out there know your user account is called carlwill or something. unless you have that username blatantly advertised you almost have a conceptual password there too. you will get the same response from the ssh server if a user does not exist, or if a real user has tried to log in with the wrong password. let's say you have 1,000,000 possible usernames, and you have 1,000,000 possible passwords. therefore you have 1,000,000,000,000 username/password combinations. that's one BIG dictionary attack....


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Disable Root login via ssh UltraSoul Solaris / OpenSolaris 3 02-09-2007 03:18 AM
disable root login via ssh with one exeption inoxtech Linux - Security 3 06-30-2005 12:28 PM
disable root login with ssh linuxtesting2 Slackware 3 02-16-2005 01:33 PM
How can I disable root login with SSH? blk96gt Slackware 9 10-02-2004 08:09 AM
SSH/Telnet, disable root login, how? muhazam Linux - Security 6 08-17-2004 01:49 PM

All times are GMT -5. The time now is 02:38 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration