Re: Enabling telnet, ftp, pop3 for root...

matt_left_coast <not@xxxxxxxxxx> (06-04-06 04:11:10):

Getting in directly as root requires the root password. Logging
in as another user then becoming root through 'su' requires two
passwords - the root and the user password. Seems more secure to
me.

You are wrong here. That's an (unfortunately very common) false
sense of security. Doing that might even decrease it. Do you
always check your system for rootkits and/or suspicious
background processes, before you attempt root login? Do you
always check your shell's configuration? I guess, you don't.
And it's very common that the intermediate user account has a
weaker password than the root account.

Nonsense.

Why?

because. please, explain why it is NOT nonsense in a way that is
believable.

First let me clarify something mentioned below: _You_ started ranting,
because _you_ have a different opinion.

Now, to answer your question, that explanation would be a verbatim copy
of my original answer to Sybren Stuvel. He and probably all others have
understood it, but you didn't. You're still just ranting, trying to
excuse your 'security' by obscurity.


Then you may want to try to get into my root account. You don't
even have my public key, so try to guess my private key. You'll
fail.

So?

Do you disagree? I have told you my hostname and SSHd port number in
another post. You are welcome to try.


See below. A key-logger doesn't have to be a full-featured
background process.

So, you can actually ANSWER the question.

I did. A key logger doesn't have to be a program. Again, see below.


A 'su' alias can act as a key-logger as well, because it can log the
password you type in. But MCSEs like you didn't get to know
anything else than full-blown CD-ROM packages.

That is provided you can write to any file that would be sourced at
login. Since I use a special user name for loggin in via ssh, it is
easy enough to prevent you from being able to do so.

Right. But that does not prevent me from just stay logged in and wait
for you, and as soon as you login, start listening on the PTY device
file. That's less stealthy, but it works.


Correct. But that does not get you into MY system.

It's not intended to. It just shows that my system is 'just secure',
while yours needs special tweaking to not even provide equal security.


Password, password, password, ...

Point?

[...]

If you would make a VALID POINT instead of ranting....

Point: Did you ever try or even consider trying alternatives? You
would be surprised, how easy it is.


I prefer making it impractical. Guessing usernames and
brute-forcing passwords together are still much easier than breaking
a public key

Many people get lazy and leave their "keys" in venerable spots. There
is "good enough" and then there is "paranoid". Any system that is on
the network is at risk, period. I am quite comfortable with the
security methods I have in place. I have not seen anything that you
have said that would get past even my first level.

Yes, there is a difference between 'good enough' and 'paranoid'. But
setting up key-based auth is easy, and more secure than password-based
auth, so why shouldn't I use it?

From what you say, I assume that your host is stationed in some kind of
local network, and you're using password-based auth only. Further, your
SSHd port is hidden and needs to be opened by some kind of network
handshake. In other words: Sniffing and MITM attacks are enough to get
to your intermediate account.


or, as already pointed out by Sybren Stuvel, comprimising one-time
passwords.

On my system, someone coming in on ssh, if they even get that far,
would have 3 tries to "blunt force" a user name and that account would
be locked out.

That makes DoS attacks possible, effectively locking you out of your own
system. It's easy to forge hostnames in a local network, especially
when it's switched.


I preffer to make it impossible for you to even reach my machine via
ssh unless authorized to do so. You should investigate some of the
ways to do that, sometime. The simple fact is, unless you know how to
set up the system you are trying to connect with, be able to supply
the setup with the correct parmiters and it has the right address,
you'll never get an ssh connection.

If my assumption about you being in a local network was right, then
getting to the SSH connection is easy. If it's a switched ethernet,
then it's even easy to get to your username and password. But you're
not going to believe this anyway, because you're so convinced about the
security of your system.


But even if you do, you will ONLY be able to login as a user, provided
you can GUESS what the user ID and password are, then you will NOT be
able to set up persistent aliases so you would still have to GUESS the
root password.

See above.


Regards.
.