I’m in the process of setting up my very first production server using Ubuntu, and I’ve ended up spending a lot of time reading about security online. Since I’ve always let the ops team worry about setting up environments, etc., I’ve now learned that there are a lot of different concerns to think about.
One decision in particular is bugging me right now – how to secure the root account on my new machine? So far, I’ve been doing a lot of the work by SSHing into the root account. On the whole, this doesn’t seem so great, since it can be dangerous to use root day-to-day and always have the ability to delete anything on the system.
Ubuntu recommends that I create another user with sudo permission and use that day-to-day. However, since Ubuntu also asks users for their own password when using sudo (rather than the root password), I feel this isn’t intrinsically any more secure than just having a root account. In either case, a cracker would only have to find one password to take over the system.
So, my thought is to create a second user with sudo permission, change sudo to require the use of the root password, and disable remote logins for root.
Advantages:
- To gain access to root, a hacker would have to find the second username, that username’s password, and the root password.
- Sudo provides logging of all executed commands.
- Using the sudoers file, I could potentially mark some commands as offline to even the secondary user. This could be useful to make sure the user can’t change the root password or access certain directories.
Disadvantages:
- Since I don’t have local access to my machine, I’m worried about turning off SSH access to root. What if something happens to the secondary user? Would I be locked out? I’m using Linode as my host, so I think I might actually be able to use their online Lish terminal to log in as root as if it were local access.
- Every admin user would need to know the root password in order to use sudo. I think this is ok because I’ll really only have one admin user, and that will be me.
In all, I think that the advantages of my plan outweigh the disadvantages. What do you think?
February 11, 2010 at 3:51 pm
I think you’re working too hard. Just use your account + sudo, with a strong password. Use SSH to connect to your normal account, not root. In fact, disable root access by SSH in sshd_config and require public-key authentication (disable password authentication).
Spend your effort making sure people don’t break into the server in the first place. Because once they’re in, they can do damage. Little tricks like a second root password aren’t going to help you.
February 11, 2010 at 3:54 pm
Also, never share a password. Your proposal requires the root password to be shared. It’s just you today, but next year it’ll be 3 people, and when one leaves, you have to change the root password. Stick with individual accounts and you can easily disable a user’s SSH access and sudo privileges if needed. The whole reason sudo & SSH were invented was to circumvent the well-documented shortcomings of a single root account.
February 12, 2010 at 7:30 pm
Thanks for the comments, DB – that’s actually what I ended up going with.
I also spent some time working with visudo to lock down sudoer accounts even more, but when I found myself having to use the root account to update things, I backed out of most of that as well. I figured having to frequently access root would just mean I’d be making root access less secure and it would be better to never have to use root and give more permission to the trusted user account.