Posted Feb 15, 2007 14:56 UTC (Thu) by tialaramex
In reply to: Linux botnets
Parent article: Linux botnets
I don't see any reason to permit remote root login on Internet-facing servers (or desktop machines for that matter). A genuine administrator should have a user account, unique to them as a person, which can be audited.
The first attack scenario I'm considering is an outsider who is able to connect to the SSH server and perhaps has some limited (unprivileged) access to the target machine (e.g forum user access on a web server), plus they can snoop some of your traffic. This scenario would be typical for a black hat setting up a zombie network, who already has subverted some nearby machines in the network but not yours.
With root SSH logins, they can target the root account (yes, it could be renamed in theory, but unlike the Windows "Administrator" account that's not a routine precaution) and the only thing keeping you safe is that SSH server's authentication. Any flaws in that single line of defense whether security mistakes (you left your laptop unattended and they stole the private key file?) or system problems (OpenSSH is revealed to allow in 1-in-4 billion connections without authenticating) are a total loss.
In my alternative, they must actively target administrative users, without knowing in advance what names are used. Even if they get SSH access as a user, they still need to escalate to root, which is another layer of security, albeit one that we know is much weaker. On the other hand if they obtain (for example by social engineering) a root password or sudo root password equivalent, they still need remote access to use it. So in either case you've got two layer security.
I use and recommend private user logins, via ssh public keys PLUS an audited authentication step for escalating to root privileges. Also people should pay attention to the security of their SSH private keys. On every machine where you keep such a key, consider how a black hat might get access to the key and what they can access with it once they have it. If you use a passphrase (which you should) how are you sure the entry method is itself secure (IIRC trojans asking for the SSH passphrase have been seen in the wild) ?
to post comments)