LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Linux botnets

Linux botnets

Posted Feb 15, 2007 12:43 UTC (Thu) by minichaz (guest, #630)
In reply to: Linux botnets by dd9jn
Parent article: Linux botnets

I agree with using keys (ideally with passphrases too) but there's no need to allow root logins through SSH, particularly on internet facing servers. Set "PermitRootLogin no" and use "AllowGroups" or "AllowUsers" to prevent attacks against other accounts which should never connect over SSH.

Charlie

(Log in to post comments)

Linux botnets

Posted Feb 15, 2007 13:03 UTC (Thu) by dd9jn (subscriber, #4459) [Link]

So and how do you get root access? Using su requires a password again and sudo without password will do nothing else but alias that user account to root. There is an old crypto rule which states: Put all your secret into one basket and watch that basket very well.

Public key authentication is far better than any password scheme. If you worry about a private key compromise, use a smart card.

Linux botnets

Posted Feb 15, 2007 15:20 UTC (Thu) by rfunk (subscriber, #4054) [Link]

Use sudo, with user's password. Make the basket of users who have access to sudo be
very small, and watch it closely.

Being able to get direct access to a root shell from the internet is just crazy.

Linux botnets

Posted Feb 15, 2007 20:22 UTC (Thu) by tetromino (subscriber, #33846) [Link]

How is sudo any more secure than root ssh logins with a password? In either case, if you can guess ONE password, you get remote root...

remote root

Posted Feb 15, 2007 21:21 UTC (Thu) by rfunk (subscriber, #4054) [Link]

This is an old debate. But you'll be hard-pressed to find an experienced professional
sysadmin who will allow remote root logins.

Allowing direct root access means that root access is not revokable per-admin; if the
password is somehow compromised (e.g. an admin is fired or is careless with the
password) you have to change the root password and communicate that to all admins
(with the associated insecurity of that communication). If admins are getting root from
their own accounts, then it's sufficient to disable or re-password a single admin's account
without affecting other admins.

So in the sudo case, if that one password is guessed, it's easier to recover than in the
single remote-root case.

Just running a root shell is dangerous. It's much better to be root only for what needs to
be done as root, to avoid accidents or possibly tripping over sabotage (e.g. someone
having gotten in and messing with your ls command).

This slashdot comment is one place that covers the issue well:
http://it.slashdot.org/comments.pl?sid=180864&cid=149...

remote root

Posted Feb 16, 2007 0:25 UTC (Fri) by dd9jn (subscriber, #4459) [Link]

"Allowing direct root access means that root access is not revokable
per-admin; if the password is somehow compromised"

FWIW, I was talking about public key authentication for root access. This also means that revoking access is as simple as deleting one line from authorized_keys.

Where do you see the problem? I agree that logging of access is not as it should be but it is still available and come one, having root access does on most systems mean you have all the power to manipulate the logs. So why care.

remote root

Posted Feb 19, 2007 15:54 UTC (Mon) by hein.zelle (guest, #33324) [Link]

> Where do you see the problem? I agree that logging of access is not as it
> should be but it is still available and come one, having root access does
> on most systems mean you have all the power to manipulate the logs. So
> why care.

One reason I care is that it's easy to accidently turn password authentication back on. On many debian systems I've seen, the option UsePAM (on by default) effectively allows password authentication, even when PasswordAuthentication is off. This is not the case on the latest ubuntu, but dangerous nevertheless. I'd rather have an ssh login as a regular user, and then become root using su.

What is the reasoning behind not using su to become root? I understand the password will go over the line, but it's encrypted. Is this advised against for fear of keyloggers or so?

Linux botnets

Posted Feb 16, 2007 2:27 UTC (Fri) by smoogen (subscriber, #97) [Link]

Ok the security gained by using two layers is via tracking down who logged in... which becomes very important in large teams. If you are administrating a couple hundred linux servers you may have a team of 5-12 people who need root access. Knowing who executed a root level command and when is important and more secure in that if you lock down sudo you can see what they ran versus having a black hole that root logged in at 02:00 and logged out at 02:30 and you have no idea what they ran.

In the case of small teams.. you may not feel that you need this, but it comes in handy if the business grows... you find yourself with 12-20 people with the root password.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds