pavement

Security (Why FreeBSD?)

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
Line 3: Line 3:
 
Most if not all Linux distros instead default OpenSSH to allow root login, which is hideously insecure because it allows a cracker to use a program like John the Ripper to try dictionary or brute-force attacks against the root account directly.
 
Most if not all Linux distros instead default OpenSSH to allow root login, which is hideously insecure because it allows a cracker to use a program like John the Ripper to try dictionary or brute-force attacks against the root account directly.
  
While we agree that root login should not be allowed by default, the argument given in the previous section is FUD, wrong, void and makes me wonder if I can trust what else is said about BSD. To use John the Ripper you need read access to /etc/password _and_ /etc/shadow, where all modern linux´s keep the encrypted passwords. You need to be root to read /etc/shadow. So if you can read /etc/shadow you already have root access, which means you have no reason to run the Ripper.  
+
While we agree on the conclusion, that root login should not be allowed by default, the argument given in the previous section is FUD, wrong, void and makes me wonder if one can trust what else is said about BSD. To use John the Ripper you need read access to /etc/password _and_ /etc/shadow, where all modern linux´s keep the encrypted passwords. You need to be root to read /etc/shadow as it is always installed 0600 uid root. So if you can read /etc/shadow you already have root access, which means you have no reason to run the Ripper.  
  
 
The reason not to allow root login is simple. You want the root´ing people to authenticate as an ordinary user first, in order to track the su´ing people down in the logs (assuming they do not remove
 
The reason not to allow root login is simple. You want the root´ing people to authenticate as an ordinary user first, in order to track the su´ing people down in the logs (assuming they do not remove

Revision as of 21:11, 4 December 2004

FreeBSD has a significantly better security record, particularly as concerns out-of-the-box security, than most if not all Linux distributions. As an example, the default FreeBSD install includes OpenSSH set NOT to allow root logins - the hopeful remote user must log into SSH as a user in the wheel group, and must then su to root afterwards.

Most if not all Linux distros instead default OpenSSH to allow root login, which is hideously insecure because it allows a cracker to use a program like John the Ripper to try dictionary or brute-force attacks against the root account directly.

While we agree on the conclusion, that root login should not be allowed by default, the argument given in the previous section is FUD, wrong, void and makes me wonder if one can trust what else is said about BSD. To use John the Ripper you need read access to /etc/password _and_ /etc/shadow, where all modern linux´s keep the encrypted passwords. You need to be root to read /etc/shadow as it is always installed 0600 uid root. So if you can read /etc/shadow you already have root access, which means you have no reason to run the Ripper.

The reason not to allow root login is simple. You want the root´ing people to authenticate as an ordinary user first, in order to track the su´ing people down in the logs (assuming they do not remove themselves from the logfiles ...).

Personal tools