0

So if I edit my /etc/ssh/sshd_config file, there's a thing PermitRootLogin where you can turn off root logins.

However this also means I can't use file uploading services like Filezilla because of permissions errors since I can't call "sudo" from Filezilla from one of my non-root accounts.

So, one alternative is to leave root logins on.

If my password is very long (32+ characters) and very high-entropy (lower-case, upper-case, special symbols, numbers, etc), won't this thwart brute force attacks entirely? Is there any risk to leaving root logins on otherwise?

user712268
  • 27

3 Answers3

1

You are already aware of the primary reason why root logins should be disabled by sshd_config. Brute force attacks, by definition, can be relentless and given enough time, any password can be cracked. This is true since attackers already know 50% of the information needed to gain access to your machine: a valid privileged username.

That said, very long, high-entropy passwords certainly reduce the risks of actually being penetrated.

The answer to your question is: No, a very strong password will not completely thwart brute force attacks. They will only help mitigate the risk.

In practical terms, if you are managing a high value (to hackers) computer it would be very unwise to allow ssh root access (or root logins generally). But if that were the case, policies would be in place to prevent this being done.

If you are comfortable with the risk, go for it. The worst that could happen is that someone installs a rootkit and renders your computer useless.

jones0610
  • 2,157
  • Brute force attacks, by definition, can be relentless and given enough time, any password can be cracked: Even 32-length high-entropy passwords, realistically speaking? – user712268 Jul 14 '17 at 00:01
  • Give NSA a reason to seize your computer and I can guarantee you that they will crack whatever passwords you have on it. There is absolutely no such thing as a password that cannot be cracked. – jones0610 Jul 14 '17 at 00:04
  • How do people transfer files (e.g. website files) if they have root disabled? – user712268 Jul 14 '17 at 00:06
  • That's not the question you asked. If you have a different question, please open a new question. – jones0610 Jul 14 '17 at 00:08
  • I transfer files via scp and allow root login with keys only – Panther Jul 14 '17 at 00:09
  • You probably aren't managing a data center where computers undergo constant attacks 7x24x365. The OP's question seems to be one of acceptable risk. The question was: can a very strong password be cracked? the answer is absolutely yes. In terms of the real world, will some user's home computer receive State sponsored, dedicated, persistent attacks on a regular basis? Probably not. Personally, my best practice is to not allow root logins. Period. YMMV. – jones0610 Jul 14 '17 at 00:15
  • The question was "do I really need to disable root access?" and "Is there any risk to leaving root logins on otherwise?". It is completely reasonable to allow root login via ssh using keys without password authentication and with using some sort of firewall. – Panther Jul 14 '17 at 00:24
  • "In practical terms, if you are managing a high value (to hackers) computer it would be very unwise to allow ssh root access" Any computer connected to the internet is of value to blackhats - it can be turned into bitcoin minimg machine, attack proxy, botnet, or even test machine for exploits. – Sergiy Kolodyazhnyy Apr 27 '19 at 00:36
1

This is probably more an opinion than anything else. I suggest you use keys so root login "without-pasword" and configure iptables to lock users out after a certain number of failed attempts. With file transfer you may want to increase the attempts.

Add/edit to /etc/ssh/sshd_config

PermitRootLogin without-password

What does 'without password' mean in sshd_config file?

Make sure you can log in with a key first

http://bodhizazen.com/Tutorials/SSH_keys/

Then disable password authentication.

iptables

iptables -A INPUT -p tcp -m tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource

iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 600 --hitcount 20 --rttl --name SSH --rsource -j REJECT --reject-with icmp-host-prohibited

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

You can increase or decrease the hit count if you so desire

See http://bodhizazen.com/Tutorials/iptables

With those changes, keys and/or a few iptables rules, I think it is reasonable to allow root to log in via ssh.

Panther
  • 102,067
  • So without-password doesn't mean "you can log in without a password" but rather "the password will not work for logging in, you must use a key"? – user712268 Jul 14 '17 at 00:13
  • without-password disables password login via ssh. You can log in with other tools such as keys or kerberos – Panther Jul 14 '17 at 00:14
0

I would recommend you to not even use a password, switch to SSH keys!

step 2. of this tutorial, Replace Password Login With Authorized keys is pretty good in my opinion. It works just fine with pretty much all versions of Ubuntu.

The Best-Scape
  • 1