Michael, You are quite right to call me on my non-contribution to this thread, I apologise.
I always set AllowRootLogin to false on ssh in the spirit of defence-in-depth, coupled with the "UsePrivilegeSeparation yes" setting. SSH'ing to a non-privileged user account, allowed to sudo with a password, is an extra hurdle. The biggest improvement is to disable insecure SSH methods like passwords, of course. That and keeping sshd patched. B. On 15 April 2013 20:59, Michael Zedeler. <mich...@zedeler.dk> wrote: > Hi Keith and others. > > First off, I'd prefer to read discussions on this list based on facts and > not just "wow". You may have a point, but it's not a very nice welcome to > Tim who is writing in with a beginners question (his own wording - not > mine). > > Second, I'd like to pick up your comment on remote root login via ssh. > > A server where root login using a pass phrase can be hacked using brute > force over time. Yes - fail2ban should mitigate this somewhat, but it is > still something that is just waiting to happen. > > But if you force the use of key login, getting in using brute force is > essentially impossible. > > Then you could argue that using a second user account could serve as a > second line of defense, but that is very thin line. Any attacker who has > gained access to such an account can easilly log in and modify the > environment to pick up any passwords that the user must enter in order to > get root access. > > Monitoring, hardening and two factor authentication is what comes to mind > when I think of what can be done to actually avoid the problem. > > I know that having remote ssh root access isn't ideal, but I think it is > becoming very common on servers in small organisations because any extra > security layers are complicated to set up, manage and monitor. > > Regards, > > Michael > > > On 2013-04-15 16:23, Keith Gable wrote: >> >> wow indeed. >> >> --- >> Keith Gable >> A+, Network+, and Storage+ Certified Professional >> Apple Certified Technical Coordinator >> Mobile Application Developer / Web Developer >> >> >> On Mon, Apr 15, 2013 at 9:18 AM, Robert Newson <rnew...@apache.org> wrote: >> >>> wow. >>> >>> On 15 April 2013 15:15, Tim Tisdall <tisd...@gmail.com> wrote: >>>> >>>> What's wrong with ssh'ing as root? >>>> >>>> >>>> On Mon, Apr 15, 2013 at 10:08 AM, Keith Gable < >>> >>> zi...@ignition-project.com>wrote: >>>>> >>>>> But you're SSHing as root, which is probably worse than opening CouchDB >>> >>> to >>>>> >>>>> the world with no password. >>>>> >>>>> --- >>>>> Keith Gable >>>>> A+, Network+, and Storage+ Certified Professional >>>>> Apple Certified Technical Coordinator >>>>> Mobile Application Developer / Web Developer >>>>> >>>>> >>>>> On Mon, Apr 15, 2013 at 8:45 AM, Tim Tisdall <tisd...@gmail.com> wrote: >>>>> >>>>>> Instead of opening CouchDB to the world, I simply access it by >>>>>> port-forwarding through ssh when I connect to the machine. Like this: >>>>>> >>>>>> ssh -L 5984:127.0.0.1:5984 r...@mymachine.com >>>>>> >>>>>> Then on my local machine I can simply access >>>>> >>>>> http://localhost:5984/_utils/and >>>>>> >>>>>> up comes futon. It depends on your use-case, but this works well for >>> >>> me. >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Apr 15, 2013 at 7:14 AM, Stefan Reich < >>>>>> stefan.reich.maker.of....@googlemail.com> wrote: >>>>>> >>>>>>> Hmm... maybe you guys can help me solve the rest of the problem? >>>>> >>>>> (Access >>>>>> >>>>>> to >>>>>>> >>>>>>> couchdb from outside) >>>>>>> >>>>>>> These are the last iptables rules in chain INPUT:; >>>>>>> >>>>>>> MY_REJECT all -- anywhere anywhere >>>>>>> ACCEPT tcp -- anywhere anywhere tcp >>>>> >>>>> dpt:5984 >>>>>>> >>>>>>> Is that not what it should be...? Says "anywhere"... everywhere. >>> >>> Heh. >>>>>>> >>>>>>> Cheers, >>>>>>> Stefan >>>>>>> >>>>>>> >>>>>>> On Mon, Apr 15, 2013 at 1:08 PM, Stefan Reich < >>>>>>> stefan.reich.maker.of....@googlemail.com> wrote: >>>>>>> >>>>>>>> OK, thanks for all the answers, folks. It was indeed iptables that >>>>>>> >>>>>>> blocked >>>>>>>> >>>>>>>> the port. This stuff should be designed (much) better in operating >>>>>>> >>>>>>> systems. >>>>>>>> >>>>>>>> Actually it's a project of mine to make that better (LuaOS and its >>>>>>>> follow-ups). >>>>>>>> >>>>>>>> I got iptables to allow access locally now. Weirdly, it still >>> >>> doesn't >>>>>>> >>>>>>> work >>>>>>>> >>>>>>>> over the Internet. And no, the server is not behind a firewall... >>> >>> :) >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Stefan >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Apr 11, 2013 at 3:30 AM, Andrey Kuprianov < >>>>>>>> andrey.koupria...@gmail.com> wrote: >>>>>>>> >>>>>>>>> See if your local.ini bind_address is set to 0.0.0.0 so that you >>> >>> can >>>>>>>>> >>>>>>>>> access >>>>>>>>> it locally and remotely. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Apr 11, 2013 at 2:54 AM, Stanley Iriele < >>>>> >>>>> siriele...@gmail.com >>>>>>>>>> >>>>>>>>>> wrote: >>>>>>>>>> A simple cat of etc/hosts... Should let you know!... And maybe >>>>>>> >>>>>>> nsswitch >>>>>>>>>> >>>>>>>>>> just to be sure >>>>>>>>>> On Apr 10, 2013 11:22 AM, "Robert Newson" <rnew...@apache.org> >>>>>> >>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Are you sure localhost == 127.0.0.1 on your machine? >>>>> >>>>> debian/ubuntu >>>>>>> >>>>>>> are >>>>>>>>>>> >>>>>>>>>>> notorious for changing that convention. >>>>>>>>>>> >>>>>>>>>>> On 10 April 2013 14:20, Stanley Iriele <siriele...@gmail.com >>>>>>> >>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Why are you telneting to it?...try curling it and see >>> >>> whatviy >>>>>>>>> >>>>>>>>> responds >>>>>>>>>>> >>>>>>>>>>> with >>>>>>>>>>>> >>>>>>>>>>>> On Apr 10, 2013 10:47 AM, "Stefan Reich" < >>>>>>>>>>>> stefan.reich.maker.of....@googlemail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Oops, bad copy&paste - here's the actual process info: >>>>>>>>>>>>> >>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# ps -aef|grep 7651 >>>>>>>>>>>>> couchdb 7651 7650 0 19:44 pts/0 00:00:00 >>>>>>>>>>>>> /usr/lib/erlang/erts-5.8/bin/beam.smp -Bd -K true -- -root >>>>>>>>>>> >>>>>>>>>>> /usr/lib/erlang >>>>>>>>>>>>> >>>>>>>>>>>>> -progname erl -- -home /var/lib/couchdb -- -noshell >>> >>> -noinput >>>>>>> >>>>>>> -sasl >>>>>>>>>>>>> >>>>>>>>>>>>> errlog_type error -couch_ini /etc/couchdb/default.ini >>>>>>>>>>>>> /etc/couchdb/local.ini /etc/couchdb/default.ini >>>>>>>>> >>>>>>>>> /etc/couchdb/local.ini >>>>>>>>>>> >>>>>>>>>>> -s >>>>>>>>>>>>> >>>>>>>>>>>>> couch -pidfile /var/run/couchdb/couchdb.pid -heart >>>>>>>>>>>>> couchdb 7682 7651 0 19:44 ? 00:00:00 heart -pid >>>>> >>>>> 7651 >>>>>>>>> >>>>>>>>> -ht 11 >>>>>>>>>>>>> >>>>>>>>>>>>> Cheers, >>>>>>>>>>>>> Stefan >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Apr 10, 2013 at 7:46 PM, Stefan Reich < >>>>>>>>>>>>> stefan.reich.maker.of....@googlemail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi there! >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'd like to start using CouchDB for my projects. >>>>>>>>>>>>>> >>>>>>>>>>>>>> This is on a Linux host. CouchDB installed from standard >>>>>> >>>>>> Debian >>>>>>>>>>> >>>>>>>>>>> package, >>>>>>>>>>>>>> >>>>>>>>>>>>>> no settings altered. But it doesn't start properly: >>>>>>>>>>>>>> >>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# uname -a >>>>>>>>>>>>>> Linux pussy-riot-germany 2.6.32-042stab068.8 #1 SMP Fri >>>>> >>>>> Dec 7 >>>>>>>>>> >>>>>>>>>> 17:06:14 >>>>>>>>>>>>> >>>>>>>>>>>>> MSK >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2012 i686 GNU/Linux >>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb >>>>>> >>>>>> start >>>>>>>>>>>>>> >>>>>>>>>>>>>> Starting database server: couchdb. >>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb >>>>>> >>>>>> status >>>>>>>>>>>>>> >>>>>>>>>>>>>> Apache CouchDB is running as process 7651, time to >>> >>> relax. >>>>>>>>>>>>>> >>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# telnet localhost >>> >>> 5984 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Trying ::1... >>>>>>>>>>>>>> Trying 127.0.0.1... >>>>>>>>>>>>>> telnet: Unable to connect to remote host: Connection >>>>> >>>>> refused >>>>>>>>>>>>>> >>>>>>>>>>>>>> Connection refused? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here's the process info: >>>>>>>>>>>>>> >>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# uname -a >>>>>>>>>>>>>> Linux pussy-riot-germany 2.6.32-042stab068.8 #1 SMP Fri >>>>> >>>>> Dec 7 >>>>>>>>>> >>>>>>>>>> 17:06:14 >>>>>>>>>>>>> >>>>>>>>>>>>> MSK >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2012 i686 GNU/Linux >>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb >>>>>> >>>>>> start >>>>>>>>>>>>>> >>>>>>>>>>>>>> Starting database server: couchdb. >>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb >>>>>> >>>>>> status >>>>>>>>>>>>>> >>>>>>>>>>>>>> Apache CouchDB is running as process 7651, time to >>> >>> relax. >>>>>>>>>>>>>> >>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# telnet localhost >>> >>> 5984 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Trying ::1... >>>>>>>>>>>>>> Trying 127.0.0.1... >>>>>>>>>>>>>> telnet: Unable to connect to remote host: Connection >>>>> >>>>> refused >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please help, dear experts... :) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>> >
