Re: security scenario

[Frank Barton <pauling () starwolf biz>]

Personally, I'd even be inclined to say, No root logins over SSH.

Think security in depth, If remote root over SSH is enabled, all someone has to do, is know the root password, said 
password could have been leaked earlier, or 
through other means. Now if remote root is disabled, the attacker has to know 2 passwords, 1 for an account that can su 
to root (limiting to a certain group 
is a Good Thing), and another to su to root.

Also if the policy "No Remote Root Logins" is know to your admin staff, any attempts at a remote root login should 
immedietly send up red flags, whether in the 
Log files (which should be parsed ever so often) or even sendding messages to certain terminals. I have myself noticed 
2 attempts by failed remote root logins.

On Fri, Jan 31, 2003 at 04:38:56PM -0000, Trevor Cushen wrote:
> Every unix hardening guide for all platforms mentions limiting the root
> access to console only, done via various methods based on the unix in
> question, /etc/default settings etc.
>
> Encrypting the root partition I wouldn't believe is an option as it
> would slow the machine a lot if the unix in question even allowed it and
> also it would fail the boot up in any unix system I have worked on.
>
> The best way is to have a strong password for root access and that
> access is via the machine console ONLY.  Then impose good physical
> security for the machine along with the policy of logging out of the
> machine when not in use or unattended.
>
> All remote access to root should be via 'su' and over a secure method
> such as SSH.
>
> Trevor Cushen
> Sysnet Ltd
>
> www.sysnet.ie
> Tel: +353 1 2983000
> Fax: +353 1 2960499
>
>
>
> -----Original Message-----
> From: pasi.kivikangas () nokia com [mailto:pasi.kivikangas () nokia com] 
> Sent: 30 January 2003 07:34
> To: theog () theog org; security-basics () securityfocus com
> Subject: RE: security scenario
>
>
> Would be any help if the root partition (and why not other partitions as
> well) is encrypted? Ok, in that case the server must not re-boot.
>
>
>       - Pasi
>
> > From: ext theog [mailto:theog () theog org]
> > I agree , in my opinion , if someone got to the machine's
> > keyboard , be it
> > phisically or via a remote console device , he can do 
> > virtually anything , ,
> > in fact , the simplest thing to do (if I wanted to change the 
> > root for a
> > machine I dont have the password for) is to boot with a linux 
> > cd , mount the
> > root partition , then do chroot , and passwd , so ..... no 
> > point is having a
>
>
> **************************************************************************************
>
> This email and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. 
>
> If you have received this message in error please notify SYSNET Ltd., at
> telephone no: +353-1-2983000 or postmaster () sysnet ie
>
> **************************************************************************************

-- 
Frank Barton
Starwolf.biz Systems Administrator

Attachment: _bin
Description: