Home page logo
/

basics logo Security Basics mailing list archives

Re: security scenario
From: Frank Barton <pauling () starwolf biz>
Date: Fri, 31 Jan 2003 21:39:43 -0500

Personally, I'd even be inclined to say, No root logins over SSH.

Think security in depth, If remote root over SSH is enabled, all someone has to do, is know the root password, said 
password could have been leaked earlier, or 
through other means. Now if remote root is disabled, the attacker has to know 2 passwords, 1 for an account that can su 
to root (limiting to a certain group 
is a Good Thing), and another to su to root.

Also if the policy "No Remote Root Logins" is know to your admin staff, any attempts at a remote root login should 
immedietly send up red flags, whether in the 
Log files (which should be parsed ever so often) or even sendding messages to certain terminals. I have myself noticed 
2 attempts by failed remote root logins.

On Fri, Jan 31, 2003 at 04:38:56PM -0000, Trevor Cushen wrote:
Every unix hardening guide for all platforms mentions limiting the root
access to console only, done via various methods based on the unix in
question, /etc/default settings etc.

Encrypting the root partition I wouldn't believe is an option as it
would slow the machine a lot if the unix in question even allowed it and
also it would fail the boot up in any unix system I have worked on.

The best way is to have a strong password for root access and that
access is via the machine console ONLY.  Then impose good physical
security for the machine along with the policy of logging out of the
machine when not in use or unattended.

All remote access to root should be via 'su' and over a secure method
such as SSH.

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: pasi.kivikangas () nokia com [mailto:pasi.kivikangas () nokia com] 
Sent: 30 January 2003 07:34
To: theog () theog org; security-basics () securityfocus com
Subject: RE: security scenario


Would be any help if the root partition (and why not other partitions as
well) is encrypted? Ok, in that case the server must not re-boot.


      - Pasi

From: ext theog [mailto:theog () theog org]
I agree , in my opinion , if someone got to the machine's
keyboard , be it
phisically or via a remote console device , he can do 
virtually anything , ,
in fact , the simplest thing to do (if I wanted to change the 
root for a
machine I dont have the password for) is to boot with a linux 
cd , mount the
root partition , then do chroot , and passwd , so ..... no 
point is having a


**************************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

**************************************************************************************

-- 
Frank Barton
Starwolf.biz Systems Administrator

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault