On 19/3/24 23:02, Greg Wooledge wrote:
On Tue, Mar 19, 2024 at 05:42:55PM +0300, Jan Krapivin wrote:
The root user's password should be long (12 characters or more) and
impossible to guess. Indeed, any computer (and a fortiori any server)
connected to the Internet is regularly targeted by automated connection
attempts with the most obvious passwords. [...]
For most people, this really isn't a concern, because they either don't
run an ssh server at all, or they use the default sshd_config which does
not allow root logins.
The only time you need to worry about this is if you:
* Run an ssh server, AND
* Accept ssh connections from the public Internet, AND
* Have changed the sshd_config file to allow ssh root logins.
A preferred method of securing root on public access systems is to use
client certificates. Some implementations will have no password for root
so unless you have the certificate you will never be able to log in.
Cloud servers such as hosted by AWS typically do this.
A 'safer' implementation will not even expose an ssh port. Instead there
will be a certificate based VPN where you first need a certificate to
connect and then you need a separate certificate to log in as root. A
further enhancement of security is to use 2-factor authentication -
which is supported in sshd via pam.
For me to get remote root access to my systems I first need to connect
to my firewall with a certificate based vpn; then I need to present a
root client certificate; and then I need to enter a 2fa code.
Even from within my network I need a client certificate and 2fa to
connect to an sshd server.
