LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Help with web site security

[ILUG] Help with web site security

Marcus Furlong furlongm at gmail.com
Thu Jan 5 23:56:49 GMT 2012 

On Fri, Jan 6, 2012 at 00:56, Rory Browne <rbmlist at gmail.com> wrote:
> Whoops - forgot to include ilug@ first time around.
>
>
> ---------- Forwarded message ----------
> From: Rory Browne <rbmlist at gmail.com>
> Date: 5 January 2012 11:22
> Subject: Re: [ILUG] Help with web site security
> To: Niall O Broin <niall at magicgoeshere.com>
>
>
> On 5 January 2012 09:50, Niall O Broin <niall at magicgoeshere.com> wrote:
>> On 5 Jan 2012, at 08:21, Kevin Brennan wrote:
>>
>>> - make sure root access via ssh is disabled
>>
>> I see this touted now and then. What is the rationale? What I hear offered is "Well, you first have to get access to an account, and then you have to have the root password" i.e. you're forcing one extra layer of security . Well, why not then force 2 extra, with e.g. hardware tokens. Or 3 extra, with IP address restrictions too.
>
> I'm not sure where you're coming from here. Depending on the security
> requirements of the host/service in question, then you'd decide how
> many layers of security you need, verses the cost ( including time /
> effort ) of each one. I think disabling root via ssh is a relatively
> cheap layer to add, in time, effort, inconvenience, and cash terms.
> Some environments do indeed implement these three layers, as well as a
> fourth time-based layer.

Some would argue that adding user accounts provides another vector for
attack. Personally, I would agree with most of the arguments (for
logging in as root) in the following post:

http://etbe.coker.com.au/2010/05/29/logging-in-as-root/

Would also agree with requiring passphrased keys to login. I don't
know the root password for many of the boxes I administer, though
given that I have root access, I could change it if required. Our
typical xen/ganeti VM creation scripts create a scrambled root
password (ala pwgen -c 32) and puppet deploys/removes the ssh keys of
those who are allowed to log in.

Marcus.
-- 
Marcus Furlong

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell