Printable View
Hi all,
I have this little question: I have read many times that when connecting to linux terminal over inet that I shouldnt login as root. That I should login as normal user and then use su command to receive root rights. Is this true? And if yes why? What's the point?
You know I really don't understand linux so if someone could explain:)
Thanx Sun7dots
Well, for a start, most servers don't allow remote root login, and log all attempts at it...
So if you login as another user, then use su to get root privileges, it works a whole lot better.
is this the only reason?
and if the server allows it?
If the server does allow it, it's still not advisable, cause it means transmitting the (unencrypted) root password over the network/internet (very insecure).
1) Server shouldn't allow root to log in remotely.
2) Password sniffers always check for login password, but now always passwords once connected.
3) You shouldn't log on as root unless you HAVE to anyway
Use SSH, not telnet. That will help also. Make sure you are using the latest version though.
Why? Security issues. It is way to easy to sniff a password or hijack a session. I don't log in as root from anyplace other then the terminal unless I absoutely have to. Even then, not for long.
thnx guys:) I forgot sniffers... so thanx for explaining...
I log in as root ONLY from the keyboard going directly into the back of the computer I'm logging into. I don't even login as root over LANs.
In fact, I don't su root either, if I need to do something as root, I'll log in locally rather than go over a network of any kind, even if I administrate it and even if it's supposed to be secure.
su provides cryptographically secured authentication. which protects from tcp hijacking and spoofing. and sniffing.
I agree with Rewandythal and souleman's advice. You should not allow remote root login and if you have to do a remote connection I would advice tu use SSH.
SSH has some issues but is far safer then Telnet :).
I have also set my servers to deny root locally. The cause of that is that we are several admins. When the admins have to log in as normal users and then "su" to get root privilegies I can see exactly when and what someone has been doing with the servers.
It can be hard to see who has been to the machine if everybody uses root when logging in to the servers :).
I am the only person with root access to my Linux machines, and Administrative access to my 2K machines, (All other users get either Power User (2k) or just normal user accounts in linux).
Well first of all loging in as root over telnet isn't going to happen because telnet won't allow for root connections. Second of all telnet is all in plain text and not encrypted at all. Secure Shell on the other hand will allow for root login unless taken out of the ssh config file. But by default it will allow for root logons its alot safer then telnet because its encrypted at 128 bit (i could be wrong on this one) But i would still highly advise that you login in as root only if you need to else things seemed to get screwed up way to fast! :)
Agree with you on that one, linuxcommando.Quote:
else things seemed to get screwed up way to fast!
uh linuxcommando, if you were such a commando you would know that root logins through telnet are possible.
You can change the /etc/securetty (spelling?) file to determine how root can log in. I disallow all root logins. I am the only admin, and I still require myself to su to root. If, by some chance, someone somehow gets the root password, they can't login directly, and the su would be noticeable. Especially since none of the users here know how to use *nix. ;)
Also, by forcing myself to su, it guarantees that I want to be root. I actually have to login twice to do something, so I force myself to think about what I am doing before I really screw something up.
If the remote user, connects to the terminal without SSH etc. su will not provide any protection against sniffers.Quote:
Originally posted here by celfie
su provides cryptographically secured authentication. which protects from tcp hijacking and spoofing. and sniffing.
:hiphop: :smokes:
souleman is right. Edit your /etc/securetty file (yes that is the correct spelling) and comment out all the ttyx lines to disallow root logins. For example:Quote:
You can change the /etc/securetty (spelling?) file to determine how root can log in. I disallow all root logins. I am the only admin, and I still require myself to su to root. If, by some chance, someone somehow gets the root password, they can't login directly, and the su would be noticeable. Especially since none of the users here know how to use *nix.
#tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
This mean no-one can login as root. They have to su -. FTP also has it's own files to stop logins from certain accounts. Use /etc/ftpusers to specify which accounts can't login to ftp (eg root, mail...). This has been deprecated for newer versions of linux/ftp. In this case use /etc/ftpaccess to specify the system accounts.
Thanks for the help guy's i too was wonderin about remote root as i am a self connfessed [pong] newbie [/pong]