From owner-freebsd-questions Fri Nov 2 10:37:59 2001 Delivered-To: freebsd-questions@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id 2D55137B403 for ; Fri, 2 Nov 2001 10:37:56 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA2IbVe65283; Fri, 2 Nov 2001 19:37:31 +0100 (CET) Message-ID: <01ae01c163cd$7cb00340$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "FreeBSD Questions" References: Subject: Re: Lockdown of FreeBSD machine directly on Net Date: Fri, 2 Nov 2001 19:37:53 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG So is it really an issue provided that I never log in to root from anywhere except on my own LAN (which has only two machines, both of which are under my exclusive control)? If I leave SSH login of root allowed, but with password authentication disallowed, it seems to me that anyone trying to hack into the system from the outside by a login to root would have quite a task before him, since he could not guess passwords, and even if he knew the root password, it wouldn't help him. He'd have to have the private SSH key for root to get in, and short of somehow stealing it off one of my machines (which would imply that I had far bigger security problems than just logins to root), I don't know how he'd get that. There's no copy of it on the server, even. ----- Original Message ----- From: "Scott Gerhardt" To: "Anthony Atkielski" ; "FreeBSD Questions" Sent: Friday, November 02, 2001 15:51 Subject: RE: Lockdown of FreeBSD machine directly on Net > If you are the only administrator this isn't too bad, but still not > recommended. If you have several administrators logging in from time to > time, you are better off logging in as yourself first and 'su' to root. > That way there is record in the logs as to who did what. > > > > > > > -----Original Message----- > > From: owner-freebsd-questions@FreeBSD.ORG > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Anthony > > Atkielski > > Sent: November 2, 2001 12:04 AM > > To: FreeBSD Questions > > Subject: Lockdown of FreeBSD machine directly on Net > > > > > > Is there anything special I need to do to secure a FreeBSD > > system, freshly > > installed, before putting it on the Internet (i.e., with an IP > > address reachable > > from the outside world)? Is it secure against attack as > > installed, or do I have > > to tweak some things? > > > > Right now I have only ssdh, telnetd, sendmail, and inetd > > running, with ftp > > available (anonymous is disabled). I am planning to install > > Apache so that I > > can prototype my Web site locally. The one change I've made > > is to allow secure > > login for root in ttys; if there is a way of restricting root > > logins to my other > > machine on my LAN, I'd like to know how to do that (it will > > never be necessary > > to login as root from the Net). > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message