Re: Renaming "root" to "homer"?
On Fri, 30 May 2008 18:38:31 -0700, Brian <[EMAIL PROTECTED]> wrote: >Has denyhosts been recommended yet, or an sshd port change? I did the latter, but will also look at denyhost. Thanks guys. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
Has denyhosts been recommended yet, or an sshd port change? Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
On Friday 30 May 2008, Oliver Fromme wrote: > Another idea would be to move sshd from the default port > to a non-standard port, e.g. 222 or whatever. Typically > ssh brute force attacks target port 22 only. This will > also clear your logs from useless break-in attempts. /usr/ports/security/denyhosts is quite good for permanently blocking access from IP's that make suspicious ssh probes. It reduces garbage in the logs too because after a remote address gets blocked future probes from it get rejected before they even get as far as being logged. -- Mike Clarke ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
Wojciech Puchar <[EMAIL PROTECTED]> wrote: > > Peope have already pointed out that it is a bad idea to > > allow remote root logins, so I won't repeat that. :-) > > i like bad ideas :) except the worst idea - dumb generalization. If you disagree, please explain why. Otherwise your comment is pointless. > > But to answer your question: Renaming the "root" account > > will probably break quite a log of things, for example > > make 2 roots, root and homer in /etc/master.passwd Yes, that would work. You just have to make sure to disable password logins for root (i.e. "*"). Another idea would be to move sshd from the default port to a non-standard port, e.g. 222 or whatever. Typically ssh brute force attacks target port 22 only. This will also clear your logs from useless break-in attempts. Note that both suggestions (creating a "homer" user and using a different port) are _not_ security measures per-se, but rather "security by obscurity". You still have to use good passwords, or ssh keys. Another approach is to enable ssh connections only from certain source addresses or networks, using IPFW or PF. Of course that's only possible if you know in advance from which addresses you will need to be able to connect. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd cat man du : where Unix geeks go when they die ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
On Fri, May 30, 2008 at 05:03:06PM +0200, Wojciech Puchar wrote: > >Peope have already pointed out that it is a bad idea to > >allow remote root logins, so I won't repeat that. :-) > > i like bad ideas :) except the worst idea - dumb generalization. > > >But to answer your question: Renaming the "root" account > >will probably break quite a log of things, for example > > make 2 roots, root and homer in /etc/master.passwd > > just remember to type > passwd root > > or > > passwd homer. Yes, you can make an alternately named root (such as toor is just that) with its own login directory and .cshrc, window manager, etc But is still bad to log in directly as any of these roots from a remote location. As has been mentioned, you should ssh in to a non-root account and then su to the root. You can su to the alternate root and then not give the main root a password if you like. jerry > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
On 5/29/08, Gilles <[EMAIL PROTECTED]> wrote: > Hello > > With all those scripts trying to connect to SSHd as "root", I was > wondering if it'd be OK to rename this account to eg. "homer", to act > as a first line of defense? I doubt it. > > Are there unknown consequences to doing something like that? > Probably, but if we knew what they were, they wouldn't be unknown. > If not, is it done by just editing /etc/password with vi, or is there > a better way? > Use vipw. That invokes vi (or your default editor if that's not vi) to edit the account database (which isn't actually /etc/passwd), and when you exit from vi, it runs the scripts necessary to update all the right things. Lots of peeps have already pointed out the downside of this, but if you really think it's what you want to do, probably the best way to do it is to create a second admin account named "homer" or whatever. In /etc/passwd, the "toor" account is an example of this (it is disabled by default). They both have UID 0 and are effectively the same account, just accessed by different names and passwords. Then change the root password to be invalid, so the attackers can hack away all day and have no chance of guessing the root password. You do that by putting a * in the password field (the second field) while you are in vipw. I (along with many others) think you should find a solution that doesn't require remote admin logins, but while you do the reading necessary for that, this at least seems to quickly accomplish your goal. - Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
2008/5/30 Wojciech Puchar <[EMAIL PROTECTED]>: >> Peope have already pointed out that it is a bad idea to >> allow remote root logins, so I won't repeat that. :-) > > i like bad ideas :) except the worst idea - dumb generalization. > >> But to answer your question: Renaming the "root" account >> will probably break quite a log of things, for example > > make 2 roots, root and homer in /etc/master.passwd Won't work. sshd does not only check the username, but the UserID, too... That's what I expect from a security aware software anyway. A method to deal with this "issue" could be to install sudo and to define username ALL=(root):NOPASSWD:/path/to/shell Then you could do alias su="/usr/local/bin/sudo -u root /path/to/shell" Needless to say that as soon as the user account is compromised, the root account is out of your control, too. > > just remember to type > passwd root > > or > > passwd homer. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
To unsubscribe, send any mail to " [EMAIL PROTECTED]" How would that help with his problem? Christian Zachariasen all programs will work ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
On Fri, May 30, 2008 at 5:03 PM, Wojciech Puchar < [EMAIL PROTECTED]> wrote: > Peope have already pointed out that it is a bad idea to >> allow remote root logins, so I won't repeat that. :-) >> > > i like bad ideas :) except the worst idea - dumb generalization. > > But to answer your question: Renaming the "root" account >> will probably break quite a log of things, for example >> > > make 2 roots, root and homer in /etc/master.passwd > > just remember to type > passwd root > > or > > passwd homer. > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [EMAIL PROTECTED]" > How would that help with his problem? Christian Zachariasen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
Peope have already pointed out that it is a bad idea to allow remote root logins, so I won't repeat that. :-) i like bad ideas :) except the worst idea - dumb generalization. But to answer your question: Renaming the "root" account will probably break quite a log of things, for example make 2 roots, root and homer in /etc/master.passwd just remember to type passwd root or passwd homer. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
Gilles <[EMAIL PROTECTED]> wrote: > With all those scripts trying to connect to SSHd as "root", I was > wondering if it'd be OK to rename this account to eg. "homer", to act > as a first line of defense? > > Are there unknown consequences to doing something like that? Peope have already pointed out that it is a bad idea to allow remote root logins, so I won't repeat that. :-) But to answer your question: Renaming the "root" account will probably break quite a log of things, for example install scripts which often contain command like "chown root bin/whatever", or start/stop scripts for daemon processes that match for certain commands run by "root", and so on. So better don't do that. Many programs expect that there is an account called "root" with UID 0. Otherwise they will malfunction. > If not, is it done by just editing /etc/password with vi, or is there > a better way? No, editing /etc/passwd directly doesn't work. Instead, you should use the vipw(8) tool, which does several things: - It locks the master.passwd file so nobody else can edit it at the same time. - It opens the master.passwd file with vi (or a different editor if you have the environment variable EDITOR set). - Afterwards it checks the master.passwd file for correct syntax and consistency, to prevent accidental breakage. - It generates the passwd file (for compatibility only) and the pwd.db and spwd.db database files. - Finally the lock is released. Alternatively you can use the pw(8) command line tool to edit, add or delete accounts and groups. Please see the manual page for details. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "C++ is over-complicated nonsense. And Bjorn Shoestrap's book a danger to public health. I tried reading it once, I was in recovery for months." -- Cliff Sarginson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
On Fri, May 30, 2008 at 7:38 AM, Brian <[EMAIL PROTECTED]> wrote: > > Sorry, forgot to send this to the mailing list as well: >> >> Not recommended. >> >> Instead edit your sshd_config file and change the option PermitRootLogin >> to >> "no". >> >> Christian Zachariasen >> >> > Isnt this the Freebsd default anyway, that root cannot login remotely > anyway, unlike that penguin OS? SSH in remotely as a non root user that is > in the wheel group and then su to root. > > Brian > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [EMAIL PROTECTED]" > I think you're right, I was just assuming that he had the setting set to "Yes" since he wanted to rename root to homer in order to stop these attacks. Christian Zachariasen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
Sorry, forgot to send this to the mailing list as well: Not recommended. Instead edit your sshd_config file and change the option PermitRootLogin to "no". Christian Zachariasen Isnt this the Freebsd default anyway, that root cannot login remotely anyway, unlike that penguin OS? SSH in remotely as a non root user that is in the wheel group and then su to root. Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
On Thursday 29 May 2008, Gilles wrote: > On Thu, 29 May 2008 10:48:27 +0200, Pieter de Goeje > > <[EMAIL PROTECTED]> wrote: > >Unless you have explicitly set PermitRootLogin to yes in > > /etc/ssh/sshd_config, it is not possible to login as root using > > ssh. > > Right. I did this because I was tired of having to log on as homer > and then sudo'ing to root, using two complicated passwords :-/ > > I guess I should learn how to use public/private keys instead. If using keys instead of passwords you could consider setting PermitRootLogin to "without-password". It's a misleading choice of name for the option but it ensures that root using ssh must use keys instead of a password. Adding your own public key to /root/.ssh/authorized_keys on the remote machine avoids the need for you to remember the remote password. -- Mike Clarke ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
On Thu, 29 May 2008 10:48:27 +0200, Pieter de Goeje <[EMAIL PROTECTED]> wrote: >Unless you have explicitly set PermitRootLogin to yes in /etc/ssh/sshd_config, >it is not possible to login as root using ssh. Right. I did this because I was tired of having to log on as homer and then sudo'ing to root, using two complicated passwords :-/ I guess I should learn how to use public/private keys instead. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
On Thursday 29 May 2008, Gilles wrote: > Hello > > With all those scripts trying to connect to SSHd as "root", I was > wondering if it'd be OK to rename this account to eg. "homer", to act > as a first line of defense? > > Are there unknown consequences to doing something like that? > > If not, is it done by just editing /etc/password with vi, or is there > a better way? > > Thank you. Unless you have explicitly set PermitRootLogin to yes in /etc/ssh/sshd_config, it is not possible to login as root using ssh. -- Pieter de Goeje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming "root" to "homer"?
On Thu, May 29, 2008 at 10:40 AM, Gilles <[EMAIL PROTECTED]> wrote: > Hello > > With all those scripts trying to connect to SSHd as "root", I was > wondering if it'd be OK to rename this account to eg. "homer", to act > as a first line of defense? > > Are there unknown consequences to doing something like that? > > If not, is it done by just editing /etc/password with vi, or is there > a better way? > > Thank you. > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [EMAIL PROTECTED]" > Sorry, forgot to send this to the mailing list as well: Not recommended. Instead edit your sshd_config file and change the option PermitRootLogin to "no". Christian Zachariasen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Renaming "root" to "homer"?
Hello With all those scripts trying to connect to SSHd as "root", I was wondering if it'd be OK to rename this account to eg. "homer", to act as a first line of defense? Are there unknown consequences to doing something like that? If not, is it done by just editing /etc/password with vi, or is there a better way? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"