Hi again. Out of this thread, Mr. Tongson pointed me to an interesting post from march 2005:
http://archives.neohapsis.com/archives/openbsd/2005-03/2808.html >From this post, it is difficult understanding why disabling remote root logins is not a good idea; but after reading the entire thread I see the point, though: disabling remote root logins make things a bit harder for an intruder, but not impossible at all. I agree with the idea on the thread but we must consider that: 1. Allowing remote root logins by default effectively destroys the security layer created by the wheel group. Even if an attacker is able to get a copy of the root password (something that cannot be underestimated for an internal employee) he must be in the right group or get a second password, this time one of a user in the wheel group. 2. There are a lot of brute force attacks from countries like Korea these days. These attacks will be less effective if the intruders get access to an unprivileged account (even if it is in the wheel group). 3. An Unix and Unix-like system has a root account. The names of other accounts are difficult to guess (my account at string1 is guessable right now, but I can be using a mail alias or receiving email on a system that has no real user accounts). Trying brute force attacks against the root account is probably the best guess for an intruder. I must admit I did not know about that thread before Mr. Tongson sent me an email, and I would probably have not sent my first email in the case I were aware of the existence of the thread of march, 2005. But I think that I am right about remote root login enabled by default weaknessing other security schemes (like the wheel group) provided by the BSD systems. I agree with Mr. Dippel about the problems related with remote installs of OpenBSD. Certainly the problem described in his post is not an usual one, only a few managers make remote installs. I have a net4801 and it is upgraded locally, using my laptop as an DEC VT compatible terminal connected to it. I can imagine how difficult it must be installing an OpenBSD release remembering that "remote root logins must be enabled before halting the system". In any case, there are some good approaches to this problem. For example: - setting up a terminal/port server to manage these devices as if it were local. In any case, how can be the installer be used without a sort of terminal (either local or remote) connected to the device? - add a siteXX.tgz tarball to the installation sets with required changes for that specific -and challenging- environment. I admit that not allowing remote root logins is an imperfect security measure, but at least do not breaks the security introduced by the wheel group in the BSD systems. On the other hand, the number of threats based on brute force attacks against root (the only account that exists on nearly all the Unix and Unix-like operating systems) are increasing in the last years. Some of these tools try passwords that I would not call "low-quality ones". Best regards, Igor.
