From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LWVpj-0005gB-UN for garchives@archives.gentoo.org; Mon, 09 Feb 2009 13:05:56 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ABA7DE008A; Mon, 9 Feb 2009 13:05:53 +0000 (UTC) Received: from relay.xencon.net (relay.xencon.net [83.246.111.105]) by pigeon.gentoo.org (Postfix) with ESMTP id 6597DE008A for ; Mon, 9 Feb 2009 13:05:53 +0000 (UTC) Received: from mail00.manage.xencon.lan (mail00.manage.xencon.lan [10.2.4.4]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by relay.xencon.net (Postfix) with ESMTPS id AA3DE6823 for ; Mon, 9 Feb 2009 14:05:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=xencon.net; s=relay20081118; t=1234184752; bh=dkyQ6N4/7wKYEYH3ti1//ndj/tTiu+NiH av23Me/Spw=; h=From:To:Subject:Date:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id; b=pme5AQOhyDb2bKxYyed4mPK+S+Dc8p80ZErpWMp9VXQeK2OFtdaPf6PRhmRL+B60+ GAh/qtTKnIgUbFEY/poRKzM2Kt+ATgr9xoc2+ZwUjrWJc/a+hZcttY3ZEwtlLZAagm3 1Ttczn/7lB94TwQNnSVl8y3ZWLB/RdJSsbWNso8= Received: from phoenix.localnet (unknown [81.14.211.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: modelnine) by mail00.manage.xencon.lan (Postfix) with ESMTPSA id 7D8175151F for ; Mon, 9 Feb 2009 14:05:52 +0100 (CET) From: Heiko Wundram Organization: Gehrkens.IT GmbH To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Permissions of /etc/sudoers Date: Mon, 9 Feb 2009 14:05:50 +0100 User-Agent: KMail/1.11.0 (Linux/2.6.28-gentoo-r1; KDE/4.2.0; i686; ; ) References: In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5325842.sxVclebEDE"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200902091405.50934.heiko@xencon.net> X-Archives-Salt: 62b20ab9-5b50-4691-852a-7d163473cbb1 X-Archives-Hash: e40fcda367f2b1afb44cda51949d37ee --nextPart5325842.sxVclebEDE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras: > Stroller wrote: > > I install sudo, give my user wide sudo rights and then set > > "PermitRootLogin no" in /etc/ssh/sshd_config. > > (Critique of this measure welcomed). > > Since Hung already answered about the other problem, I'll just comment > on this. > > It's a bad idea if the machine is open to the Internet, especially since > it's easy to simply "su -" or "sudo" as a normal user. Sorry, but I consider that to be BS advice (at least concerning that you wa= nt=20 to leave password-authentication open). I'd always recommend disabling root login for ssh (as soon as that is=20 possible, i.e. you have an unpriviledged account who is in group wheel who = you=20 can use to access the machine in question), because root is a "well-known"= =20 user (and thus lends itself well to a [possibly distributed] ssh brute forc= e). When someone wants to "hack" your machine, he's always going to try known=20 usernames before going on to guess what "additional" (unpriviledged) userna= mes=20 might have been set up on your system. And, even when he gets access to one= of=20 your user accounts (who happen to be in group wheel), he still has to guess= =20 the root password (when doing su -) to be able to become root, and hopefull= y=20 this buys you the time to see in your logs that someone tried local "su" wi= th=20 invalid passwords, which should always be a high priority alert. YMMV, but I've felt pretty safe (safer than leaving root open for password- authentication) like this so far. =2D-=20 Heiko Wundram Gehrkens.IT GmbH =46ON 0511-59027953 | http://www.gehrkens.it =46AX 0511-59027957 | http://www.xencon.net Gehrkens.IT GmbH Strasse der Nationen 5 30539 Hannover Registergericht: Amtsgericht Hannover, HRB 200551 Gesch=E4ftsf=FChrer: Harald Gehrkens, Daniel Netzer --nextPart5325842.sxVclebEDE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEABECAAYFAkmQKi4ACgkQCGstSsJFz3jeJQCfXOiMWl542D6CpOEPJPQ07OdL VrgAoIDXJUUNiXWSia9j6ro9ar+PrxQK =VE9b -----END PGP SIGNATURE----- --nextPart5325842.sxVclebEDE--