On Fri, Dec 15, 2006 at 03:09:54PM +0100, Olive wrote: > >Well, if sudo is well configured, it does not give complete root access, > >It should be limited to mostly inoffensive command options and require > >the password for the rest. As for the logs, you are right in the case > >where they are kept local, but any reasonable size network will use a > >separate node with a different password as a loghost. All the failed > >attempt will be sent there and recorded before any successful promotion. > >Those will be much harder to erase. But you are right I should have > >mentioned it. > > > This make more sense, but still I am perplex. I was speaking about the > "Unbuntu" type of sudo account: you have to give your own password to > have root access, not a different one. If an offender had succeed to log > in, he has already the normal user account password. For the logs, if > the local system is able to send some log to another network, a user > having root access is also able too; how can the local system be > "authorized" to send remote log across the network and denying this to a > user having rootlocal access. Even if there is a password to send the > logs over the network, the system must store it somewhere in order to be > able to use it. A user having local root access is able to analyse > /dev/mem to discover it. It may present some difficulties but this seems > like "security by obscurity"; which is known to be bad. However, a more > secure variant would be to authorize the system to send log but not to > clear it; in this later case it could be more secure. Anyway just > prevent a root ssh does not increase security as it; it only does in > conjunction with several other steps. This way to setup sudo does not make sense to me. It is giving full root access to every user, which is plain bad. It must be a configuration for single workstation used by one person only. As for the loghost, take a look at syslog and syslog-ng. This type of setup does only make sense in append mode. That is, you send something and it is logged, no access to previous record. This way, when something fishy happens, you look at your logs chronologically and you (hopefully) see what happens before the fake records sent by the attacker. There is no authentication involved, just ip filtering. I think the main point in disabling root access is to break all those bots which scan the net for ssh servers and try their dictionnaries of passwords on the root account. I see one every 10-20min on my ssh gateways. jacques
Attachment:
signature.asc
Description: Digital signature