Ron, I do agree that allowing root access in some cases does make sense. However, I think the point most people bring up is that, especially if its an external facing server, a script kiddie might launch a dictionary attack against the account named root, but probably not one against the account named jdoe. Unless the attacker is already familiar with your system (and the accounts on the machine), a blind attempt to own your system probably will fail simply because they won't have (or bother to obtain) a valid account on your system. This protection, of course, disappears if your attacker is motivated enough (or has enough information about your system) to know or guess a valid login for your system. In defense of allowing root, I agree with Ron that in most server solutions, allowing root login, with a sufficient password, is no more unsafe than giving people the ability to su, especially if its an internal server. And may in fact save you some headaches. tl;dr You can still have you system taken over by someone logging in as one of your users, but unless they are lucky or motivated, they probably will not guess a valid account name to log in. root is a known account on all *nix systems, and therefor may be the subject of automated attacks, even if they are not successful. David Edwards User Support Specialist College of Wooster >>> Ron Arts <ron@xxxxxxxxxxxxxx> 6/3/2008 7:02 AM >>> Okay, the general feeling seems to be that you should disable remote root login, for the following reasons: 1. Why take the chance that someone cracks the root account. 2. You want to keep logs on who is logging in to your box. Though from the answers I may induce that it may be secure if: - you choose a strong root password - there are no other users on the box - constrain logins to certain ip addresses. I think if you allow users on the box, you run a much larger risk anyway not? Hacking root from a local account is much easier than hacking root remotely. I did not see defenders of the default redhat/fedora setup. But your answers still convinced me that though there are valid reasons to use local user accounts together with sudo, they do not necessarily apply to the setups I use. Thanks, Ron
