Rookit infections: AARRGH!

Neil Joseph Schelly neil at jenandneil.com
Mon May 9 09:20:01 EDT 2005


On Monday 09 May 2005 09:06 am, Brian wrote:
> 1, NEVER allow root access via SSH.  You should have to login as a user,
> and then su - to root, or better yet setup a sudoers file.

This is one of those best practices I've never really felt had merit.  It 
seems to me that when people break in through SSH, they are doing it through 
exploits in the SSH or OpenSSL codebases, not through password guessing.  
Once you can overflow the daemon and get control that way, you're root, 
regardless of this option or the password.  This option only prevents people 
who know the root password from logging in through SSH, which is mainly just 
the administrator(s).

Does anyone here have any additional insight to the best practice?  I know 
it's considered best practice, but I never really found it to be logical and 
most only give the reasoning that is a best practice.
-N



More information about the gnhlug-discuss mailing list