[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root password strength

On 22.03.2024 14:57, Jan Krapivin wrote:


чт, 21 мар. 2024 г. в 22:34, Alexander V. Makartsev <avbetev@gmail.com>:
This conclusion seems less than optimal to me.
By condemning yourself to type 12+ character password every time you 'sudo' would really hurt accessibility and usability of your home computer and for no good reason.

If we focus solely on your use case: a login security of a PC at home, without remote access, then password of your sudo user could be as short and
simple as four numbers, of course unrelated to your date of birth, phone number, or any other easily guessable sequence of numbers, like '1234'.

Are you speaking only about sudo or root password also?

Dealing with root password could be tricky and you have three options:
1. You can implement the same 'faillock' scheme for root user as well and make root password shorter for convenience.
    Pro: 3 failed login attempts and root user will be locked for a time period.
    Con: You or somebody can (un)intentionally lock out root user for a time period.
2. You can set good password (12+ symbols) for root user without 'faillock' scheme.
    Pro: You will be always able to login as root user.
    Con: Typing 12+ symbols password could be a headache.
3. You can unset (delete) root user password and lock the account.
    Pro: Nobody will be able to login as root user directly. Instead you will have to rely on sudo user to gain root privileges.
    Con: You will have to keep sudo account safe and set shorter lockup time period or make another sudo user as backup.

If you prefer to have root user as failsafe, to fix system when you screw something up. I suggest to go for option 2 and keep it simple.

The thing that bothers me are words: "any computer (and a fortiori any server) connected to the Internet is regularly targeted by automated connection attempts"
I am not tech-savvy. Can you say with 100% (90%?) confidence that there is no such thing? That home PC without SSH and whatever complicated is safe (rather safe) from "automated connection attempts"?
This thread reminded of that topic - https://forums.debian.net/viewtopic.php?t=154002

That statement is not entirely true, because it depends on a method how a PC is connected to the Internet. There are three options:
1. Your PC is connected to Local Area Network (LAN) and there is a router/firewall device between your PC and the Internet cord.
    In this case any unsolicited Internet traffic (automated connections, port scans, etc) will be stopped by router/firewall device.
    This is because of how IPv4 network address translation (NAT) works, to allow multiple LAN hosts to connect to Internet with single IP address assigned by Internet Service Provider (ISP).
    In case you would want some traffic to reach your PC through a router/firewall device, you will have to configure a rule and allow it on router/firewall device.
2. Your PC is connected to a router device that works as a network bridge and your PC has public IP address assigned by ISP.
    In this case any unsolicited Internet traffic (automated connections, port scans, etc) will reach your PC and should be stopped by a firewall.
3. Your PC is connected to Internet cord directly and PC has public IP address assigned by ISP.
    In this case any unsolicited Internet traffic (automated connections, port scans, etc) will reach your PC and should be stopped by a firewall.

In cases 2 and 3 you have to keep firewall up and configured to block incoming traffic. Also you have to be aware of any active network services on your PC that could be accessed from the Internet and it is your job to keep them secure.
These services could be anything: SSH server, FTP server, HTTP server, SQL server, SAMBA server, game servers, etc.

In case 1 you are relatively safe from Internet traffic noise. Hosts on your LAN are separated from the Internet by router/firewall device.

Now, I don't want to scaremonger and feed anyone's paranoia, but for the sake of completion, there are known cases in history when router/firewall had vulnerabilities, or firmware flaws, or configuration negligence, that allowed perpetrators to 'hack' them, as in gain full access and control over their firmware and gain network access to LAN hosts.
These cases are extremely rare nowadays and very hard to pull off successfully, especially if the device owner keeps firmware up-to-date and configuration tidy.

I hope this helps you to understand a little more how networking works under the hood and while there is indeed a network traffic noise reaching every second every host on the Internet, 99.99% of it simply dropped by firewalls, ISP filters, or fail otherwise.


--
With kindest regards, Alexander.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀
Reply to: