On Fri, 13 Mar 2009, Luke S Crawford wrote:

> da...@lang.hm writes:
>> I don't see a huge difference between logging in to a UID 0 account named
>> 'root' or a UID 0 account named 'management' (and not much more difference
>> in logging in as UID 500 and then doing a su or sudo to UID 0)
>
>
> Accountability.   If something messes up my system, I want to know if it's
> bob, the new SysAdmin, or if it's the 'management' tool, or what.   If
> everything logs in remotely, I have no idea who did what.
>
> having both log in as a separate UID and then using sudo or su leaves me
> at least some clues as to who root actually is.
>
> For the second reason, I want you to go examine the sshd log (usually
> /var/log/secure or something)  if you are not running behind a firewall
> or fail2ban or something else that blocks dictionary attacks at the
> network level,  you will most likely see quite a lot of failed login
> attempts for 'root'  - (you will also see a lot of failed logins for other
> usernames, but 'root' is by far the most common.)

if you are running exposed to the Internet, then you have more issues.

but I was disagreeing with the blanket statement that it's _always_ wrong 
to do this.

if your cluster of machines is behind a firewall you don't have the 
dictionary attacks to deal with.

the accounting may be an issue (or may not, depending on your site's needs 
and what you think the odds are that someone is going to use the 
management account instead of root to hide their tracks)

David Lang

> If a user chooses a bad password, sure, if someone really wants to take
> you down, they'll get in.  But if root has a bad password?  well, my
> experience has been that if you put a box with PermitRootLogin yes and a
> dictionary word for the root password on the public Internet, it will
> be compromised and being used to send spam when you come in the next day.
> (yes, this actually happened to me.  the box was supposed to be a test
> server in our no-incoming-connections-allowed lab.   Someone mistakenly put
> it on the public Internet.   The next day it was rooted.
> Going through the logs, it sure looks like it fell to a dictionary attack.)
>
> _______________________________________________
> Discuss mailing list
> Discuss@lopsa.org
> http://lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
> http://lopsa.org/
>
_______________________________________________
Discuss mailing list
Discuss@lopsa.org
http://lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to