Originally posted by Tomin
View Post
Announcement
Collapse
No announcement yet.
Fedora 31 Will Finally Disable OpenSSH Root Password-Based Logins By Default
Collapse
X
-
Originally posted by DoMiNeLa10 View PostRoot login should be disabled by default. Escalating privileges is the way to go.
I purposefully choose distros that leave root login intact. If I'm forced to use a distro that disables root, enabling it is the very first thing I do. No matter how many hoops I have to jump through. And if its really that hard to enable, I just choose a different distro.
I hardly ever use the root account, that isn't it. Right now and always I'm browsing the web as a regular user. What happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.
Root being enabled is a must-have feature.
Comment
-
Originally posted by ezst036 View PostI purposefully choose distros that leave root login intact.
Originally posted by ezst036 View PostWhat happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.
Root being enabled is a must-have feature.
Edit2: Even if root login was disabled, in the scenario you described with a borked account, you'd simply boot into single user mode (or from CD), mount the root FS and fix it, and/or enable root login. It's a basic sysadmin 101 type of procedure. Not sure why you'd want to 'start over from scratch'.Last edited by torsionbar28; 23 June 2019, 10:36 PM.
- Likes 1
Comment
-
Originally posted by ezst036 View Post
Never.
I purposefully choose distros that leave root login intact. If I'm forced to use a distro that disables root, enabling it is the very first thing I do. No matter how many hoops I have to jump through. And if its really that hard to enable, I just choose a different distro.
I hardly ever use the root account, that isn't it. Right now and always I'm browsing the web as a regular user. What happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.
Root being enabled is a must-have feature.
- Likes 1
Comment
-
Personally, I consider the default configuration for services like ssh to be entirely irrelevant. This is THE main public danger facing point of access for your system. If you don't go over it PERSONALLY, then you deserve to DDOS yourself by painting a bullseye on port22 to let all of China try to break in.
1) Put it on a port besides 22, 222, or 2222. I know this is not a real security approach, but it is amazing how much of that persistent attack traffic goes away with just this simple adjustment. On my HOME network, which isn't even a big target, if I have ssh on port 222, I'll get around 5-10 connections from China every hour.
2) No root password login. Key is ok if you really must, but definitely no password.
3) fail2ban, and with a right good and paranoid configuration. 2 shots in an hour and banned for at least a few hours. This is one of the biggest pieces of your security, because it takes you from 10 million IP addresses attacking you relentlessly, to 10 million IP addresses getting 2 shots and stopping.
Comment
-
Originally posted by ezst036 View Post
Never.
I purposefully choose distros that leave root login intact. If I'm forced to use a distro that disables root, enabling it is the very first thing I do. No matter how many hoops I have to jump through. And if its really that hard to enable, I just choose a different distro.
I hardly ever use the root account, that isn't it. Right now and always I'm browsing the web as a regular user. What happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.
Root being enabled is a must-have feature.
ssh -t user@host /bin/sh
or if you want to skip a step;
ssh -t user@host /bin/su
Comment
-
Originally posted by milkylainen View PostIt always boils down to what kind of admin is running the machine.
Everything else is an illusion of security.
Comment
-
Originally posted by ezst036 View Post
Never.
I purposefully choose distros that leave root login intact. If I'm forced to use a distro that disables root, enabling it is the very first thing I do. No matter how many hoops I have to jump through. And if its really that hard to enable, I just choose a different distro.
I hardly ever use the root account, that isn't it. Right now and always I'm browsing the web as a regular user. What happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.
Root being enabled is a must-have feature.
Comment
Comment