From owner-freebsd-questions@FreeBSD.ORG Fri Feb 4 02:18:15 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF7ED16A4CE for ; Fri, 4 Feb 2005 02:18:15 +0000 (GMT) Received: from smtpq3.home.nl (smtpq3.home.nl [213.51.128.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04F2043D4C for ; Fri, 4 Feb 2005 02:18:15 +0000 (GMT) (envelope-from danny@ricin.com) Received: from [213.51.128.135] (port=50129 helo=smtp4.home.nl) by smtpq3.home.nl with esmtp (Exim 4.30) id 1Cwt2z-0001EL-Rf; Fri, 04 Feb 2005 03:18:13 +0100 Received: from cp464173-a.dbsch1.nb.home.nl ([84.27.215.228]:56187 helo=workstation.homenet) by smtp4.home.nl with esmtp (Exim 4.30) id 1Cwt2y-0001b6-Kv; Fri, 04 Feb 2005 03:18:12 +0100 From: Danny Pansters To: Gert Cuykens Date: Fri, 4 Feb 2005 03:18:01 +0100 User-Agent: KMail/1.7.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200502040318.01703.danny@ricin.com> X-AtHome-MailScanner-Information: Please contact support@home.nl for more information X-AtHome-MailScanner: Found to be clean cc: freebsd-questions@freebsd.org Subject: Re: ssh default security risc X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: danny@ricin.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 02:18:16 -0000 On Friday 4 February 2005 02:59, Gert Cuykens wrote: > the engine to start. Enabeling the ssh root is like having the remote > car key that opens every door at once so you can get in to kick his > butt :) You're overseeing one crucial thing. The attacker isn't really interested in any user account (that would merely be a means) she's interested in the root account (that would be the price). Enabling ssh login through root even though it goes through another port than 22 or even a static ssh program with some weird predefined account (call it toor ;-) nonetheless it opens a direct entry to the root account. Which wouldn't have been there otherwise. I've seen quite a few wizz bang admins at ISPs do just that. They think they can outsmart the attacker. Usually they won't. Sure they can bruteforce a user account which does have ssh access also, but they're still one step ahead (and a good password policy is a big hurdle there). And is that user part of the wheel group (e.g. an admin)? If she ain't the attacker is now two steps behind. You also should note that rooted == rooted. All is over by then. Your box is completely unreliable. E.g. if an attacker can get physical access forget it, assume he's in and everywhere. Security is about layers and in the best case totally different context and access rights and what have you between those layers. Dan