[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] OpenSSH pkg default config (was: Am I missing something here)
- Subject: Re: [cobalt-security] OpenSSH pkg default config (was: Am I missing something here)
- From: Nico Meijer <nico.meijer@xxxxxxxxx>
- Date: Thu, 14 Mar 2002 23:43:04 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Edward,
> Continuing in the same vein: double check that the OpenSSH sshd_config has
> PermitRootLogin set to no. If set to yes, this allows anyone to attempt to
> login directly as root. Although I am not a security expert by any means, I
> recall reading that this is not a good idea... Instead, you can login as
> admin and then su to get root access.
...unless your box is cracked/0wn3d/compromised/whatever-you-want-to-call-it. It is all a matter of opinion.
I remember Zeffie mentioning that the only way to succesfully 'restore' a box after it had been compromised and `su` had been tampered with was to log in as root directly. And I do recall Zeffie being a very decent, security conscious contributor to this list.
It is therefore not all bad. Just remember to give the root account a *very* strong password and to change it pretty regularly. My personal favourite password is a generated password, hard to remember even by me.
Mind you, I do not allow direct root logins (so I tend to agree with you). Mind you, again, that I have physical access to my machines. If you're colocating a few thousand miles away, make sure your ISP is a pretty decent one. "You get what you pay for" has been said many times before on these lists... and it's true. Don't save a few bucks if you really needn't.
Have a great one... Nico