RE: PermitRootLogin enabled by default
Alvin,
If the cracker can get in as a user, it's merely a matter of time before they can worm their way into becoming root. Defenses against this are difficult, the NSA version "SELinux" deliberately places great restrictions on user abilities to try to prevent just such things. But I don't think there is any certain way to prevent a user from gaining root access if they are capable and determined.
Layered defenses are best, of course. Network firewall (or packet filtering), restricted service offering (no fingerd, no telnetd, etc), then strong authentication for login, then restricted access to root.
Like you, I do not prefer to allow direct root logins so that an attacker must overcome each barrier in turn.
One of my favorite features of Debian is being able to go through the packages at install time and un-select such things as fingerd and telnetd, so that the services never exist on the server.
Curt-
> From: Alvin Oga [mailto:aoga@Maggie.Linux-Consulting.com]
>
> hi all
>
> if an attacker got in ... as a user .... game over... they got in ???
> - question is what damage can they do as "user" ...
>
> if an attacker get in the same way as root... game is really over...
> as they now have complete control of yoru machine..
> - i prefer to disallow root logins...
>
> ( assumption in the above is that they can get in thru an existing
> ( vulnerability .. either as root or a user ..
>
> -- patch the original vulnerability .... fix it first ...
> worry about the "follow-me around folks" later ...
> ( like those in the van outside your home/office listening
> ( to the wireless connections...
>
> c ya
> alvin
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: