From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
"Best practices" tend to come from other people's whoopsies. But it's always good to question things, too.
Its a concept called defense in depth. Without root login now you require the key AND sudo password.
Also, outside of self hosted you will have multiple people logging in. You want them to log in with their own users for logging and permission management.
Doesn't even have to be the key necessarily. Could get in via some exploit first. Either way taking over the machine became a 2-step process.
Zero-day exploits are security holes that exist and are used by bad actors, but aren't yet known to you, or anyone capable of closing the hole. The clock to patch the hole doesn't start running until the exploit is known: it stands at zero days until the good guys know it exists.
What zero-day exploits exist for ssh?
By definition, you don't know. So, you block root login, and hope the bad actor doesn't also know a zero-day for sudo.
Yes it's always better to login with a user and sudo so your commands are logged also having disable passwords for ssh but still using passwords for sudo gives you the best protection
Sudo also allows for granular permissions of which commands are allowed and which aren't.
Also double check that sudo is the right command, by doing which sudo. Something I just learned to be paranoid of in this thread.
Unless which is also compromised, my god…
which sudo will check $PATH directories and return the first match, true. however when you type sudo and hit enter your shell will look for aliases and shell functions before searching $PATH.
to see how your shell will execute 'sudo', say type sudo (zsh/bash). to skip aliases/functions/builtins say command sudo
meh nvm none of these work if your shell is compromised. you're sending bytes to the attacker at that point. they can make you believe anything
That server's root access is now vulnerable to a compromise of the systems that have the private key.
A door with the best lock possible is still not as secure as no door at all
It's another slice of Swiss cheese. If the user has a strong enough password or other authentication method through PAM, it might stop or hinder an attacker who might only have a compromised private key, for example. If multiple users have access to the same server and one of them is compromised, the account can be disabled without completely crippling the system.
Using sudo can also help you avoid mistakes (like accidentally rebooting a production server) by restricting which commands are available to the user.
One always minimises attack surfaces and the possibility of fat fingered mistakes. The lower privileges that you grant yourself the better.
You'd think that Dave Cutler who, I believe, designed Windows NT coming from a Unix style background would have followed these principles but no. I discovered *nix late sadly.
It's just another way of minimizing your attack surface. It's pretty much the same as hiding behind a barrier when being shot at, you stick yourself out as little as possible.
In the same way it also helps to change your SSH port to somewhere in the high numbers like 38265. This is anecdotal of course, but the amount of attacks on SSH went down by literally 99% by just changing the port like that
Then you accept only keys, you lock down root (so the username must be guessed as well) and yeah, you're safe.
This is anecdotal
Not just anecdotal. The default SSH port gets hit by ridiculous numbers of bots because a lot of people don't bother to change it. This will be true no matter what machine you're on. Hell, your desktop at home has probably been scanned quite a few times even if all you do is watch porn on it
If ssh has a security issue and you permit root logins then hostiles likely have an easier time getting access to root on the machine than if they only get access to your user account—then they need multiple exploits.
Generally you also want to be root as little as possible. Hence sudo, run0, etc.
I never login with the root account. Not even on the console. You don't want everything you do running as root unless it is required. Otherwise it is much easier for a little mistake to become a big mess.
It's a bad practice to log in as root even for administrative tasks. You need to run numerous commands, some of hem can be potentially dangerous while not requiring root privileges. So normally you have an admin user in the sudo/wheel group and need to login to this account. Also, this adds some protection in case your key has leaked.
Audit trails
You can disasble passwords so ONLY keys work, and you can firewall ssh to ONLY IPs you originate from.
Just don't forget to check if your IP has changed if ssh suddenly starts timing out with no error indication no matter what you do and oh god what is actually wrong
I think there's a way to setup an alert for this.
Is there any point of logging in with a different account?
When you edit & save a file as root, root takes ownership of that file. I personally don’t like having to run chmod or chown every time I make minor changes to something.
No, that's not correct. If you create a new file as root, it will own that file. But editing an existing file doesn't change the owner or group of that file.
It's rarely a good idea to log in as root, doubly so if it's a system with sensitive data or services that could easily be disrupted accidentally. And even more important if multiple users log in. How will you know who broke things to teach them if they don't log in first. The only time I log in to any system as root other than a test system is when I need to sftp to access files or some other system that doesn't have a way to elevate permissions.
The multi-tennant approach to the linux operating system isn't just for security. It's the way the OS was designed to operate. You're not meant to use root as an ordinary user.
Disabling root removes the safety net, but it also plugs the security hole that leaving root enabled leaves.