[email protected] writes: > I don't see a huge difference between logging in to a UID 0 account named > 'root' or a UID 0 account named 'management' (and not much more difference > in logging in as UID 500 and then doing a su or sudo to UID 0)
Accountability. If something messes up my system, I want to know if it's bob, the new SysAdmin, or if it's the 'management' tool, or what. If everything logs in remotely, I have no idea who did what. having both log in as a separate UID and then using sudo or su leaves me at least some clues as to who root actually is. For the second reason, I want you to go examine the sshd log (usually /var/log/secure or something) if you are not running behind a firewall or fail2ban or something else that blocks dictionary attacks at the network level, you will most likely see quite a lot of failed login attempts for 'root' - (you will also see a lot of failed logins for other usernames, but 'root' is by far the most common.) If a user chooses a bad password, sure, if someone really wants to take you down, they'll get in. But if root has a bad password? well, my experience has been that if you put a box with PermitRootLogin yes and a dictionary word for the root password on the public Internet, it will be compromised and being used to send spam when you come in the next day. (yes, this actually happened to me. the box was supposed to be a test server in our no-incoming-connections-allowed lab. Someone mistakenly put it on the public Internet. The next day it was rooted. Going through the logs, it sure looks like it fell to a dictionary attack.) _______________________________________________ Discuss mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
