From: Heiko Wundram <heiko@xencon.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Permissions of /etc/sudoers
Date: Mon, 9 Feb 2009 14:05:50 +0100 [thread overview]
Message-ID: <200902091405.50934.heiko@xencon.net> (raw)
In-Reply-To: <gmp82a$801$1@ger.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 1848 bytes --]
Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras:
> Stroller wrote:
> > I install sudo, give my user wide sudo rights and then set
> > "PermitRootLogin no" in /etc/ssh/sshd_config.
> > (Critique of this measure welcomed).
>
> Since Hung already answered about the other problem, I'll just comment
> on this.
>
> It's a bad idea if the machine is open to the Internet, especially since
> it's easy to simply "su -" or "sudo" as a normal user.
Sorry, but I consider that to be BS advice (at least concerning that you want
to leave password-authentication open).
I'd always recommend disabling root login for ssh (as soon as that is
possible, i.e. you have an unpriviledged account who is in group wheel who you
can use to access the machine in question), because root is a "well-known"
user (and thus lends itself well to a [possibly distributed] ssh brute force).
When someone wants to "hack" your machine, he's always going to try known
usernames before going on to guess what "additional" (unpriviledged) usernames
might have been set up on your system. And, even when he gets access to one of
your user accounts (who happen to be in group wheel), he still has to guess
the root password (when doing su -) to be able to become root, and hopefully
this buys you the time to see in your logs that someone tried local "su" with
invalid passwords, which should always be a high priority alert.
YMMV, but I've felt pretty safe (safer than leaving root open for password-
authentication) like this so far.
--
Heiko Wundram
Gehrkens.IT GmbH
FON 0511-59027953 | http://www.gehrkens.it
FAX 0511-59027957 | http://www.xencon.net
Gehrkens.IT GmbH
Strasse der Nationen 5
30539 Hannover
Registergericht: Amtsgericht Hannover, HRB 200551
Geschäftsführer: Harald Gehrkens, Daniel Netzer
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2009-02-09 13:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-09 4:36 [gentoo-user] Permissions of /etc/sudoers Stroller
2009-02-09 6:43 ` Michael Hentsch
2009-02-11 23:52 ` b.n.
2009-02-11 23:57 ` [gentoo-user] " Nikos Chantziaras
2009-02-12 0:01 ` [gentoo-user] " Neil Bothwick
2009-02-12 3:55 ` Stroller
2009-02-12 0:01 ` Paul Hartman
2009-02-12 0:04 ` Neil Bothwick
2009-02-09 12:37 ` [gentoo-user] " Nikos Chantziaras
2009-02-09 13:05 ` Heiko Wundram [this message]
2009-02-09 13:15 ` Nikos Chantziaras
2009-02-09 14:20 ` Saphirus Sage
2009-02-09 14:25 ` Nikos Chantziaras
2009-02-10 8:21 ` Heiko Wundram
2009-02-09 17:02 ` Stroller
2009-02-09 18:26 ` Nikos Chantziaras
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200902091405.50934.heiko@xencon.net \
--to=heiko@xencon.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox