| 1 |
Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras: |
| 2 |
> Stroller wrote: |
| 3 |
> > I install sudo, give my user wide sudo rights and then set |
| 4 |
> > "PermitRootLogin no" in /etc/ssh/sshd_config. |
| 5 |
> > (Critique of this measure welcomed). |
| 6 |
> |
| 7 |
> Since Hung already answered about the other problem, I'll just comment |
| 8 |
> on this. |
| 9 |
> |
| 10 |
> It's a bad idea if the machine is open to the Internet, especially since |
| 11 |
> it's easy to simply "su -" or "sudo" as a normal user. |
| 12 |
|
| 13 |
Sorry, but I consider that to be BS advice (at least concerning that you want |
| 14 |
to leave password-authentication open). |
| 15 |
|
| 16 |
I'd always recommend disabling root login for ssh (as soon as that is |
| 17 |
possible, i.e. you have an unpriviledged account who is in group wheel who you |
| 18 |
can use to access the machine in question), because root is a "well-known" |
| 19 |
user (and thus lends itself well to a [possibly distributed] ssh brute force). |
| 20 |
|
| 21 |
When someone wants to "hack" your machine, he's always going to try known |
| 22 |
usernames before going on to guess what "additional" (unpriviledged) usernames |
| 23 |
might have been set up on your system. And, even when he gets access to one of |
| 24 |
your user accounts (who happen to be in group wheel), he still has to guess |
| 25 |
the root password (when doing su -) to be able to become root, and hopefully |
| 26 |
this buys you the time to see in your logs that someone tried local "su" with |
| 27 |
invalid passwords, which should always be a high priority alert. |
| 28 |
|
| 29 |
YMMV, but I've felt pretty safe (safer than leaving root open for password- |
| 30 |
authentication) like this so far. |
| 31 |
|
| 32 |
-- |
| 33 |
Heiko Wundram |
| 34 |
Gehrkens.IT GmbH |
| 35 |
|
| 36 |
FON 0511-59027953 | http://www.gehrkens.it |
| 37 |
FAX 0511-59027957 | http://www.xencon.net |
| 38 |
|
| 39 |
Gehrkens.IT GmbH |
| 40 |
Strasse der Nationen 5 |
| 41 |
30539 Hannover |
| 42 |
|
| 43 |
Registergericht: Amtsgericht Hannover, HRB 200551 |
| 44 |
Geschäftsführer: Harald Gehrkens, Daniel Netzer |
Archives