Re: Enabling telnet, ftp, pop3 for root...

Ertugrul Soeylemez wrote:

matt_left_coast <not@xxxxxxxxxx> (06-04-06 02:16:38):

If you allow logging in directly as root, root can be hacked by someone
entering "root" as a user name.

... and authenticating. Your fault, if you allow root login without
authentication.

Where did I say ANYTHING about not using authentication.

Or do you use passwords?

Yes, I do.

Then it's your own fault, if
they get in.

I have seen nothing from you that shows HOW they would get in!



Since root is a well known name, part of the process of hacking the
system is already done. All that is needed is to guess the root
password. If you dissallow direct root login, then the hacker must
guess a valid user AND the correct password for that user before they
can even get into the system.

In most cases, it's not that hard to guess valid usernames.

In combination with the valid password from OUTSIDE the system? You're
joking right?

Looking
over one's shoulders,

That limits things to just a FEW possible people, easily stopped by looking
to see who can see over your shoulder.

capturing traffic,

The traffic is encrypted.

intercepting dialogues,

The ssh account is only used for remote login. It is not used in unencypted
dialogs. It also is set up to make virtually impossible to do anything
other than su, so adding a keystroke monitor would not be possible.

asking
Google, whatever.

Wouldn't be found in google. It is relatively simple to make a user ID and
password that are not based on things easily guessed or found.

And you didn't consider that many attackers are not
totally unknown persons.

Yes, I have. That is why I don't use my everyday user name or password for
an ssh login account. That is why the user ID an passwords are not even
based on WORDS much less based on anything in my life.

If someone wants to get to your system, then
he has a reason to do so, i.e. he already has some informations about
you.


That does not mean they can guess the user name and password I have used for
ssh logins.


They must then figure out how to get to root.

Logging into root directly via proper authentication mechanisms and
disallowing normal users to become root appears more secure to me.

Good thing you don't work on any of MY systems. Logging into the USER via
"proper authentication" then requiring a SECOND authentication is more
secure. Two layers of "proper authentication" is better than ONE!



Which is more secure? DISALLOWING DIRECT ROOT LOGIN.

Yes, for "system administrators" like you. I didn't know that there is
a Linux counterpart for 'MCSE'.

Don't know yourself, eh?



Also, if there is more than one admin, the su will log who used root
on the system and when. If you allow direct root login, then there is
no telling which of the admins was on the system when problems
started...

Since you only know about password authentication and that's the only
thing in the world, you _must_ even be an MCSE, being new to the Linux
world at all. I suggest you read about public key based
authentication. And yes, you can very well tell, who logged in.

As of yet, you have not shown how you would get my login and password, much
less get TO my system since I use various methods to prevent even the ssh
port from being seen by ANYONE.



That's a common and very unreasonable misconception.

As you can see, it is not even a misconception, much less a "very
unreasonable one". It is clear you are laboring under some missguided
concepts.

You don't even have a concept. See above.

I have not seen how you would A: get TO my system, B: get my user ID and
password.



Your statement holds for non-secure protocols (i.e. Telnet),

And for people logging into directly into consoles as well.

And for people using remote terminals like SSH.

Unless they knew how to get to my SSH port, they would not even be able to
TRY my password.

You are switching
context here. I'm talking about network security, but you're talking
about bubblegums.

I am talking about TOTAL security, if that is "switching context" by your
standards, then you don't know security.



but there you shouldn't even login as a normal user.

Well, I guess if you babble long enough, you'll get something right
just by random chance.

And you're just some angry MCSE, trying to show us how cool you are, and
that you have learned something. You are in the wrong place. Have a
look at comp.os.ms-windows.networking.windows.

I have shown how cool I am. The simple fact is, you have not shown how you
would even REACH my box to try to use my username and password!




.

Relevant Pages

  • Re: Forms Authentication - Cookie not being generated...
    ... It was very interesting and I learnt plenty from just taking ... Never thought I could secure a directory from one root ... The login page is ... > access with Forms authentication so your login page (and all protected ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: BSM, SSH, and Session ID
    ... Are you logging in as root through ssh or is that just the way it is ... Sun SSH/OpenSSH should fork off before the login because the sshd ... It should always be a different session, ...
    (Focus-SUN)
  • Re: telnet as root question
    ... >> make securetty tell telnet and SSH apart? ... >login program after opening the pts. ... >check securetty to know if root login is allowed. ...
    (comp.os.linux.security)
  • Re: BSM, SSH, and Session ID
    ... I can't recall how Sun SSH on Solaris 9 behaves but recent versions of Sun SSH/OpenSSH should fork off before the login because the sshd process that a user is connected to after authentication runs with their privileges, ... It should always be a different session, even if the user login is root. ...
    (Focus-SUN)
  • RE: Login restrictions in NIS environment
    ... to ban root from logging in remotely except from certain IP addresses. ... but it does not allow root to login even from ... > stack is called by both login and ssh access. ...
    (RedHat)