From: Nico Kadel-Garcia on 10 Jul 2010 04:54
On Jul 8, 9:32 pm, Arno <m...(a)privacy.net> wrote:
> Matt Giwer <jul...(a)tampabay.rr.com> wrote:
> > On 07/05/2010 10:55 AM, jny0 wrote:
> >> I'm installing fedora12. I run the CD, which gives me the option to
> >> log-in as liver system user. I then lick on the Install to Hard Drive
> >> icon, which begins the installation procedure. After setting up a
> >> couple of settings (location, etc) I'm asked to enter a root
> >> password. I enter it, and continue the installation. Oncompletion, I
> >> restart the computer, and am prompted to set up a user account. I
> >> then log in with the user account, as this is the only option
> >> available. When I then try to login as root (through a terminal), I
> >> keep being told that there's authentication failure. I know the
> >> password is correct, and have gone though this process many time now.
> >> Any ideas?
> > Remote login as root is a bad idea for security reasons.
> Why? I have heard the claim frequently, but not a single
> conlusive explanation so far.
You won't get a single, absolute reason for it, There are a set of
reasonable but not individually compelling reasons.
From: The Natural Philosopher on 10 Jul 2010 11:55
> On Tuesday 06 July 2010 11:26 in comp.os.linux.setup, somebody
> identifying as jny0 wrote...
>> ...and I'm a vege...
>> What I meant by "It might be nice to negate this process if it can be
>> done..." is that it would be nice if I could just login as root,
>> rather than login in as a user, and su to root.
> Direct root logins are a security hazard, because the name "root" is
> known to exist in all UNIX systems, so all an attacker needs to guess
> next is the root password.
No. First of all he has to have login *access* to the machine.
in 99% of case if he has that he already has more access than he needs
to get root access. :-(
From: Aragorn on 10 Jul 2010 15:45
On Saturday 10 July 2010 17:55 in comp.os.linux.setup, somebody
identifying as The Natural Philosopher wrote...
> Aragorn wrote:
>> On Tuesday 06 July 2010 11:26 in comp.os.linux.setup, somebody
>> identifying as jny0 wrote...
>>> ...and I'm a vege...
>>> What I meant by "It might be nice to negate this process if it can
>>> be done..." is that it would be nice if I could just login as root,
>>> rather than login in as a user, and su to root.
>> Direct root logins are a security hazard, because the name "root" is
>> known to exist in all UNIX systems, so all an attacker needs to guess
>> next is the root password.
> No. First of all he has to have login *access* to the machine.
Which is exactly the sort of thing we're talking about, since the OP
stated that he prefers to allow root logins over "ssh". And
unfortunately, so do a lot of lazy sysadmins, with as a result that
their systems have gotten compromised and were used in automated
break-in attempts on other machines, such as the ones what my
colleagues and I were running.
And apparently those lazy sysadmins also don't check their logs for
remote root logins. They also appear to lack courtesy, because if you
send them an e-mail with logs from your own server clearly pointing at
a break-in attempt originating from theirs, they will simply ignore
you, and especially so if you're asking for their cooperation since you
yourself happen to suspect a certain group of people of being behind
the attack and you are trying to document that.
> in 99% of case if he has that he already has more access than he
> needs to get root access. :-(
Physical access to servers is also a liability in a lot of
organizations. Been there, seen that.
One of the worst kinds of IT-related security I've ever seen was in a
company not too far from where I live. They have/had a very
heterogenous IT infrastructure - UNIX, Windows NT, Windows 98, Mac OS
9 - and I have personally seen a root console left completely
unattended *overnight* on their main UNIX server. Hell, they wouldn't
even switch off the monitors or at the very least use a screensaver on
their workstations, and some of the Windows NT machines already had the
images burned into their (CRT) monitors.
And next to that, they did of course also have lots of blank password
accounts, even on UNIX systems, and root GUI logins on their Compaq
UNIX printserver. It's like they were just dying for someone to tamper
with their systems.
(registered GNU/Linux user #223157)