Delimit the remote access to users with privilege is not in any case based Security through Obscurity. Obviously the best option for delimiting access is disabled by default SSH. I consider before taking such drastic measures that may affect users of cloud, is more than reasonable disable access to users with administrative permissions.I will not go on reasonable local situations like using custom rules for SELinux or firewall rules (when the firewall disabled by default).
Delimiting access to SSH is not only through the LAN/Internet network, it is also important to prevent a local user where SELinux rules or whatever will not let you make a su/sudo/whatever - root. And They can simply ssh localhost.
- Do not run sshd by default:
It would be great in the installation this was an option to enable it. Better to go step by step and see what happen with the users and how this affect them without drastic changes.
It would be great in the installation this was an option to enable it. Better to go step by step and see what happen with the users and how this affect them without drastic changes.
- Install a script like fail2ban: So you need a default firewall enabled (
What do we have? I know another thread about fw disabled by default..). This really affects more an a user than disable remote root login.
What do we have? I know another thread about fw disabled by default..). This really affects more an a user than disable remote root login.
Do we want to help the user to have a secure distribution by default?
Let's start by being aware that we must define certain things that are not commonly used. Is more common users with weak passwords than users using ssh as root or using rsync..
On Mon, Jan 12, 2015 at 5:27 PM, Milan Keršláger <milan.kerslager@xxxxxxxx> wrote:
Dne 12.1.2015 v 15:46 Przemek Klosowski napsal(a):
> There still needs to be an administrative access to the system, and the
> most common implementation by enabling 'sudo' on the non-privileged
> account. So, in a sense you are both right: this feature is just a small
> step rather than a security panaceum, but it does bring real
> improvements in several areas:
>
> - increases difficulty of the attack by banning stupid automated BF
> attacks on root
> - improves accountability for administrative actions (we know which
> admin messed up :)
> - allows more granularity in granting elevated privileges across a set
> of machines and admins
No. It improves nothing. This is step backward.
It gaves bad signal to the user ("strong root password is not needed").
It does not mitigate the BF attack. The original and main reason was to
mitigate BF even "P J P <pjp@xxxxxxxxxxxxxxxxx>" told us here that not.
See his writings here:
https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html,
https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
This is simply very bad security misconception.
The PJP told us that this is like SELinux or firewal. But firewall block
all trafic. But SELinux does not allow to obey the rules it raises. And
"PermitRootLogin=no" still allows BF and still allows easily to login as
another user and do su/sudo even maybe (!!!) not so easily (which is
hard to prove as I demonstrated before because it will lead to use much
less quality passords for root and normal users too).
All this rumor is trying to tell us that it improves security, but does
not. It provides false feeling of improved security and this is very
dangerous (ie. like does Security through Obscurity). If you really want
to improve security and mitigate BF attacks against root, do this:
A) do not run SSHD by default
B) install a script by default to bann repeated login failures
(there are many around here, just test them and ship one).
These are real steps forward as it will really mitigate BF for all
accounts in the system.
--
Milan Keršláger
http://www.pslib.cz/ke/
http://www.nti.tul.cz/wiki/Milan.Kerslager
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
--
Francisco Alonso.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct