On Fri, May 17, 2019 at 4:35 PM Kevin Fenzi <ke...@scrye.com> wrote: > > On 5/17/19 5:23 AM, Stephen Gallagher wrote: > > ...snip... > > > 3) Force Anaconda to require the creation of a non-root user that is a > > member of the `wheel` group, so that this user can be used to SSH in > > and administer the system. Essentially, remove the root user creation > > spoke as an option from the interactive install. > > So, this is basically the old cloud-init makes a user that can sudo to > root thing. Can anyone explain in small words how this is more secure? >
If you've ever examined your audit logs for failed authentications, you'll notice the difference is substantial. The root user is under non-stop attack over ssh, by countless bots and malicious users. Other users are not so frequently targeted. The attack surface is dramatically reduced when disabling access for the the root user over ssh, and replacing that with a different user. This is not perfect security, but it reduces the attack surface that can be automatically targeted by automated attack tools. > I mean, in this case the attacker would need to guess the username in > addition to the password (where in the cloud cause this is known), but > otherwise why not just keep root password access ? > The other user is not necessarily known, even in the cloud case. At least on Amazon EC2, cloud-init can be used to parse user-data passed in to add a user dynamically at launch time, rather than have the default user well-known in the cloud image. > I always found that cloud default anoying and useless and haven't yet > seen a good argument to not do it. Cloud default users are, from my limited experience on AWS and looking at my own audit logs, are nearly as often targeted by attackers as the root user. So, I find these defaults annoying, too. The secure position shouldn't be to admit defeat and leave password-based login for the root user open on SSH... the secure position should be to immediately create a new user during setup (either via kickstart, anaconda, or cloud-init) that isn't a built-in default user (either built-in to the OS, as "root" is, or built-in to the cloud image, as "fedora" and "centos", etc. users are). > > kevin > > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
