[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Disallowing remote root login

Subject: RE: [cobalt-users] Disallowing remote root login
From: <rpaiz@xxxxxxxxxxxxxx>
Date: Sun Mar 25 20:13:51 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> > Why? su still requires me to enter the root password. So
> > now someone has to guess one of the other three passwords
> > *and* the root password.
>
> ok, before they had to be able to guess admin's password, then roots,
> now they get a choice of 4 then roots...
>
> So instead of only one user who can become root you have 4...

Three, actually. I understand your point. But I could die tomorrow, and
that, like hackers, is an eventuality my business must prepare for. What
I do know is that those three people change their passwords only through
me <grin>, and they're all very strong passwords. (Starting from the
basics...)

> yes, but my point is, admin is the only user login that can
> later become root, so that's one password as seen from outside,

The server admin (by which I mean the guy who adds websites and users)
is not yet trusted with the root password. And obviously I'll know if he
changes it, which he won't, especially since his job and his reputation
go right out the window 12 milliseconds later. :)

I've also made it clear that my logcheck will treat a shell access by
admin as an Active Attack Alert, and that this is expressly forbidden.

That only leaves the other three users, which are my two partners and
myself. And they want this server to stay healthy as much as I do. :]

> ok, dropping user exec for su is a nice start...but remember
> it's SUID not SGID ;)

You, um, wanna shuffle those cards again a little slower, sir?

> I'd still start simpler, like, can you log in to ssh from any ip?
> Is your root password strong? Remember, su isn't the only way to
> become root, you can fool with login too ;)

Root and wheel groupmembers passwords are all strong. As of yet, I can
ssh in from any IP but I'll be locking that one down too soon. (But
since you mention it, how? ipchains or sshd_config?)

> Do all the cron jobs drop root as soon as possible?

I've only added two cron jobs. One to update the time, one to mirror the
Linux Documentation Project, and one to mirror RedHat. What's this about
"dropping root"?

--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>

Follow-Ups:
- Re: [cobalt-users] Disallowing remote root login
  - From: Marc Gear

References:
- RE: [cobalt-users] Disallowing remote root login
  - From: flash22

Prev by Date: RE: [cobalt-users] Customize 404 Error
Next by Date: Re: [cobalt-users] Re-Directing users on a 404 error
Previous by thread: RE: [cobalt-users] Disallowing remote root login
Next by thread: Re: [cobalt-users] Disallowing remote root login

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index