Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SSH security
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SSH security

Hi all, I created an user with SSH account but no sudo permision. Sorry if this is a noob question but what's difference between sudo-enabled account and 'root'? What can be the security issue here if passwords of those accounts are hacked? How to prevent the issues (if any)?

Thanks.

Comments

  • ndelaespadandelaespada Member, Host Rep

    A sudo user has the same level of access as a root user, if either of those accounts gets hacked you're in deep trouble. how to prevent issues? disable ssh password authentication, use ssh private keys instead, change sshd port from default to something else.

  • tchentchen Member
    edited December 2013

    A couple things about sudo:

    1. You can restrict sudo to specific commands, eg "sudo service restart apache2".
    2. Sudo authentication will timeout which gives slightly more security if you accidentally leave a terminal running.
    3. Sudo commands are logged.
    4. Sudo is typically used to provide administrators access without having to share the root login.
    5. sudo su - is like @ndelaespada says equivalent to logging in as root. Anything goes if you allow this.

    Using sudo allows you to control the way you elevate privileges. First barrier would be the ssh private key with passphrase. Second barrier becomes the actual passwd for the user.

    You'd have to lose all three things in order for someone to run the equivalent of root. And even then only if you enable sudo ALL. If you just need a developer account for instance, you can easily restrict your sudo privileges to commands you only need. Then file away the sudo (ALL) account to be used less often.

    Thanked by 1lukesUbuntu
  • Moving port somewhere else is just a maintenance nightmare and has minimal security benefit.

    Use reasonable not easily guessable non-dictionary password and fail2ban daemon, which will make the brute force password guessing attack practically impossible as with 10-min ban after each 3 attempts it will take 1/2 million years to break 6-character password using upper/lowercase/numbers/specialchars or 1/2 year with 1million IPs. How about 8-character password :)

    The weakest link to your machine is you. (Kevin Mitnick)

    I noticed some VPS providers here who shall remain nameless use unsecured links to the client panel, where attacker can change the root password. Some provide secure login, but do not enforce it when you remove "s" from https on their login page.

    For example try unsecured links:

    http://my.crissic.net/clientarea.php
    http://billing.chicagovps.net/clientarea.php

  • OMG, is it ChicagoVPS not secured?

  • They have secured link and that's what they use, but they do not enforce the security if someone clicks unsecured link.

    There is more of those, I only selected ChicagoVPS because they are well known here for security issues. On another hand, Crissis is one of the few who knows what he is doing.

  • Social engineer can spoof ticket with unsecured login and monitor your WiFi.

    As I said, the weakaest link is you.

  • But try these guys, apparently big and professional company from Toronto who spends millions on marketing every year: www.myhosting.com/

    Click the login link in the top right. They don't even bother with providing secure login page.

  • Ok, nevermind MyHosting, the POST goes into secure page even if typing on unsecure, so your password is never in the clear. However, Chicago is not that sophisticated and if you get there on unsecured page, you are sending password in the clear.

  • Should we ask Host to make the SSH login through keys?

  • loyd said: Moving port somewhere else is just a maintenance nightmare and has minimal security benefit.

    Regardless of the security benefits, how is moving ports a maintenance nightmare? I move SSH on all of my servers, and never had an issue.

  • edited December 2013

    prosecure@:

    From your localhost

    $ ssh-keygen

    $ ssh-copy-id -i ~/.ssh/keyname.pub user@remotehost

    $ ssh user@remotehost

  • duyan13duyan13 Member
    edited December 2013

    @loyd said:
    Moving port somewhere else is just a maintenance nightmare and has minimal security benefit.

    Use reasonable not easily guessable non-dictionary password and fail2ban daemon, which will make the brute force password guessing attack practically impossible as with 10-min ban after each 3 attempts it will take 1/2 million years to break 6-character password using upper/lowercase/numbers/specialchars or 1/2 year with 1million IPs. How about 8-character password :)

    The weakest link to your machine is you. (Kevin Mitnick)

    I noticed some VPS providers here who shall remain nameless use unsecured links to the client panel, where attacker can change the root password. Some provide secure login, but do not enforce it when you remove "s" from https on their login page.

    For example try unsecured links:

    http://my.crissic.net/clientarea.php
    http://billing.chicagovps.net/clientarea.php

    Both links are secure ! It is configured redirecting the http to the https site so please test it before posting false informations

  • @duyan13 You're sending your password in plan text

  • loydloyd Member
    edited January 2014

    Folks, have a look at your /var/log/auth.log ... scary!

    If you suspect someone hacked your VPS, change root password and install fail2ban. If hacker was stupid enough to lock you out, you may need to reinstall, although you may be able to lock hacker out by changing password in Solus and reboot.

    I am getting hacking attempts from legitimate hijacked websites on several of my VPSes. IMO this should be reportable and hijacked VPSes should be shut down, but at present nobody cares.

    Even if you are just hoarding, don't let your VPS sit unsecured. Create strong password and install fail2ban, otherwise your VPS becomes a hacking and spam gateway and you may be even billed for dirty IP.

  • Mark_RMark_R Member
    edited January 2014

    the best SSH security i know and use is this:

    nano /etc/ssh/sshd_config

    change there the ssh default port to something like 1002

    nano /etc/rc.local

    add a line before the exit:

    iptables -A INPUT -j ACCEPT -p tcp --dport 1002 -s YOUR_IP_HERE

    >

    iptables -A INPUT -j DROP -p tcp --dport 1002

    dont forget to reboot!

    where you see "YOUR_IP_HERE" you would put a dedicated IP that doesnt change

    this will make sure that only someone with access to your dedicated ip can access your server ssh control.

    the dedicated ip could be one of your other servers that you use as vpn etc.

  • howardsl2howardsl2 Member
    edited January 2014

    @Mark_R said:

    These are better in case your last rule in INPUT is a DROP, so you don't lock yourself out:

    iptables -I INPUT -p tcp --dport 1002 -s YOUR_IP_HERE -j ACCEPT
    
    iptables -I INPUT -p tcp --dport 1002 -j DROP
    
  • Like everyone else said sudo users and the root user can do the same exact things. (sudo users can even log in as root) If you want to prevent people from "hacking" you you should limit the IP's that can access the server to your IP. (which means someone would have to be physically at your house to hack your server)

Sign In or Register to comment.