1 |
Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras: |
2 |
> Stroller wrote: |
3 |
> > I install sudo, give my user wide sudo rights and then set |
4 |
> > "PermitRootLogin no" in /etc/ssh/sshd_config. |
5 |
> > (Critique of this measure welcomed). |
6 |
> |
7 |
> Since Hung already answered about the other problem, I'll just comment |
8 |
> on this. |
9 |
> |
10 |
> It's a bad idea if the machine is open to the Internet, especially since |
11 |
> it's easy to simply "su -" or "sudo" as a normal user. |
12 |
|
13 |
Sorry, but I consider that to be BS advice (at least concerning that you want |
14 |
to leave password-authentication open). |
15 |
|
16 |
I'd always recommend disabling root login for ssh (as soon as that is |
17 |
possible, i.e. you have an unpriviledged account who is in group wheel who you |
18 |
can use to access the machine in question), because root is a "well-known" |
19 |
user (and thus lends itself well to a [possibly distributed] ssh brute force). |
20 |
|
21 |
When someone wants to "hack" your machine, he's always going to try known |
22 |
usernames before going on to guess what "additional" (unpriviledged) usernames |
23 |
might have been set up on your system. And, even when he gets access to one of |
24 |
your user accounts (who happen to be in group wheel), he still has to guess |
25 |
the root password (when doing su -) to be able to become root, and hopefully |
26 |
this buys you the time to see in your logs that someone tried local "su" with |
27 |
invalid passwords, which should always be a high priority alert. |
28 |
|
29 |
YMMV, but I've felt pretty safe (safer than leaving root open for password- |
30 |
authentication) like this so far. |
31 |
|
32 |
-- |
33 |
Heiko Wundram |
34 |
Gehrkens.IT GmbH |
35 |
|
36 |
FON 0511-59027953 | http://www.gehrkens.it |
37 |
FAX 0511-59027957 | http://www.xencon.net |
38 |
|
39 |
Gehrkens.IT GmbH |
40 |
Strasse der Nationen 5 |
41 |
30539 Hannover |
42 |
|
43 |
Registergericht: Amtsgericht Hannover, HRB 200551 |
44 |
Geschäftsführer: Harald Gehrkens, Daniel Netzer |