F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Stephen John Smoogen
smooge at gmail.com
Mon Jan 12 19:13:44 UTC 2015
On 12 January 2015 at 11:58, P J P <pj.pandit at yahoo.co.in> wrote:
> On Tuesday, 13 January 2015 12:05 AM, Stephen John Smoogen wrote:
> >I don't see how this is the case. All we have done is move the
> >first line of the root-kit script to calling sudo via the password
> >that was used to open the account up. Since many of Linux systems
> >are single user boxes.. it is most likely going to work. If it fails
> >then the majority of them just dump the warning email in
> >/var/spool/mail/root which never gets read (from the number of boxes
> > I have had to clean up).
>
> Sorry, I didn't get it. Running root-kit script implies you already
> have access to a machine. And the user has sudo(1) access enabled.
>
>
Sorry if I am misunderstanding but the feature is to address brute forcing
the root account so that they do not get root access to the server. I am
saying that this isn't a speed-bump because they are already trying to
brute force all the accounts on the system and so if they get one, they
will become root as they already have the password for the account. Thus I
do not see how it solves the first problem.
> >>And from looking at the sophistication of various worms these days..
> >they are a lot smarter about guessing who owns the box and then trying
> >various smart choices (since Fedora will select ssmoogen as my name it
> >has shown up more often in brute forces by systems which I own).
>
> That's possible. But the proposed feature is not meant to address this
> issue.
>
>
>I was going to say it is an informed speculation.. I have actually had to
> >interview various people about weak passwords and why they chose them and
> >the largest excuse is "Well I don't need to have a strong password for
> >this.. its not like its root."
>
> Yes, that is quite common. Which is precisely why we need to set hardened
> default configurations.
>
I do not disagree. I just think that the sophistication of the malware
robots is high enough that saying the above does not help hardening without
further changes. [Adding a password creation tool to anaconda and
gnome-first-boot to help people create 'stronger' passwords would seem to
do more in hardening.]
> ---
> Regards
> -Prasad
> http://feedmug.com
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150112/af1d9ca2/attachment.html>
More information about the devel
mailing list