From owner-freebsd-net Tue Jun 19 11:59:39 2001 Delivered-To: freebsd-net@freebsd.org Received: from munin.odin-corporation.com (munin.odin-corporation.com [216.233.173.18]) by hub.freebsd.org (Postfix) with ESMTP id 79B0737B406 for ; Tue, 19 Jun 2001 11:59:34 -0700 (PDT) (envelope-from lars@odin-corporation.com) Received: from odin-corporation.com (localhost [127.0.0.1]) by munin.odin-corporation.com (8.11.3/8.11.1) with ESMTP id f5JIwtT00133; Tue, 19 Jun 2001 13:58:56 -0500 (CDT) (envelope-from lars@odin-corporation.com) Message-ID: <3B2FA0EE.11BB33B@odin-corporation.com> Date: Tue, 19 Jun 2001 13:58:55 -0500 From: Lars Fredriksen Organization: Odin Corporation X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: no, en MIME-Version: 1.0 To: bv@wjv.com Cc: Cameron Haegle , freebsd-net@FreeBSD.ORG Subject: Re: Securing the root account References: <008f01c0f8e5$fdca32a0$420fbf8f@hlc02> <20010619142141.C20724@wjv.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Very well put! Lars Bill Vermillion wrote: > On Tue, Jun 19, 2001 at 12:33:44PM -0500, Cameron Haegle thus > sprach: > > > I come from the Windoze side of the playground, where you are able > > to rename the Administrator account name, in order to provide a > > bit more security. > > > Can a similar thing be done with FreeBSD? > > You could, but what you are proposing is the classic 'Security > through obsurity model'. That never works. > > Root is a traditional account name since 1969, but it also maps to > user ID 0 as someone else mentioned. Every system requires > a user ID 0 no matter whether it is root, larry, manny or moe. > > Make sure that no one can log in as root anywhere except at the > console. You can even elminate root login at the console if your > system is not in a 10000% secure location :-) > > Then the only memember who can use root are those you put in the > 'wheel' group. > > Let's get back to UID 0 for a moment. If anyone can get into that > machine, even if they don't have the ability to become super user, > and you have named your root account mxtylplx, then anyone on that > machine will know that is the admin account by listing any > directory in which used ID 0 has a file it owns. > > Don't putz around with security 'ideas'. Do security in the right > manner. Limit the wheel account users. Make sure they keep their > login password secure, and keep the root password secure. > > Get rid of all telnet account and put in SSH so that no clear text > passwords ever cross the net. That's just a small step on the > way, to locking down a system, but just changing login names won't > do it. > > Bill > > -- > Bill Vermillion - bv @ wjv . com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message