forum.excito.org

Just a short question:

may I change the root paasword (for security reasons, I know how to do so), or will it break/prevent some funcitionality probably during upgrade?

I personally think, this is even more important then the admin password.
Kind regards,
Ingo

Sure,

no problem i alway do it .

I even disable root password becouse you don't want to login as root.
I login as normal user en use sudo to do somting as root.

With kind regards,

Bas van den Dikkenberg

that sounds needlessly complex for a headless and console-less machine. Just changing the password into something difficult and disabling the possibility for direct login is more than plenty security for a device like this. Oh and if you're truly paranoid: change the SSH port into something weird.

Ubi wrote:Oh and if you're truly paranoid: change the SSH port into something weird.

Don't laugh, that's what I have done on my NAS for login from the internet:
a) disable authentication by password, only allow with SSH-keyfile as normal user., with su get root.
b) change standard port to "somthing nobody expects".

a) is for security
b) is for power saving and HDD life. Once you have SSH on port 22 open to the internet: watch your 'auth.log' and see the script kiddies to flood it with funny attempts. This prohibits my HD from ever spinning down.

Best regards,
Ingo

That all sounds hopelessly complex and if you were to ask me, hardly adds any security and may even degrade security.

First off you should never allow access to port 22 (or whatever obscure port that does the same) from untrusted addresses. This implies that anyone trying to gain access to your server will have to corrupt a machine that you regard as trusted first, meaning they either have an original password or installed their own. In either case this will grant them access to the stored SSH key that will in turn enable them access to the server.


If you're paranoid you can even change the name of root (e.g. carrot), but there's hardly any sense in that since the normal behaviour is to block root access from logging in directly through SSH and `su 0` will always make you root regardless of what it was renamed to. Remember that the best way to protect a computer from misuse is to pour it in concrete and sink it off to the ocean. The problem is that this also prevents you to use it, which brings in second best to prevent console access and that happens to be a key feature of the B3. Third is to restrict network access. Really: all the other stuff is just people trying to be fancy and mostly succeeds in just annoying other people.

Gordon wrote: If you're paranoid you can even change the name of root (e.g. carrot), but there's hardly any sense in that since the normal behaviour is to block root access from logging in directly through SSH and `su 0` will always make you root regardless of what it was renamed to.

I just tried on my PC running Squeeze-amd64: Just 'su' works fine (translation: unbekannte = unknown).

Kind regards,
Ingo

My bad - wrong interface and trying to be fancy myself. The command 'su' without arguments will make you user 0, which is root by any name.

I can read German BTW

of course you should change your root password. But don´t use a simple password like "12345"

12345? That's amazing! I've got the same combination on my luggage!!

Ubi wrote:12345? That's amazing! I've got the same combination on my luggage!!

I am quite sure Anonymous was hacking you already

Ubi wrote:12345? That's amazing! I've got the same combination on my luggage!!

May the Schwartz be with you!