Does disabling root login enhance security?
I have recently found an argument against disabling a root user login in Linux at http://archives.neohapsis.com/archives/openbsd/2005-03/2878.html
I assume that, if everybody uses a public key authentication, there's no risk at losing the root password.
Is it always better to disable the root login via ssh?
The short answer is that the smaller your attack profile the better. Always. If you don't need it or can use an alternative such as sudo or su, then don't enable root login.
One big argument in favor of disabling root and using sudo/su is that you can track who's doing what. One user - one login. Never share accounts.
The argument at that link seems to be specific to local login, rather than ssh.
I second Dennis´ point, plus:
Allowing root login via SSH also means root is attackable by brute force password guesses.
Because root is always there, and the reward is so high, it is a priority target. The username would have to be guessed first, which adds a few orders of magnitude to the difficulty of the problem.
Never disable the root account if you don't have console access. If your filesystem fills up and the boot fails while /etc/nologin is created, only the root account will be allowed to login into the machine.
That said, if you have console access to deal with these situations, closing root account may save you some headaches, as no one will be able to get to the root account using a dictionary attack (my experience is that these are constant these days - someone is always trying). Other things you might think of doing:
- Install a program like fail2ban that automatically closes access to an IP address if it fails authentication more than a number of times (to actively protect against dictionary attacks).
- Only use ssh keys.
- If you manage a lot of machines, use cfengine or other to manage the public keys that you authorize to enter a machine (or else you get those outdated pretty quickly).
Best regards,
João Miguel Neves
It is always better to disable root login via SSH.
There are PKI systems (e.g. public keys with SSH) that have been compromised. SSH has already had remote authentication flaws previously that enabled a root compromise to occur. Software PKIs are notoriously weaker than hardware based PKIs.... if your host computer is compromised, the target server could likewise fall easily. Or there could be novel flaws found in SSH. By limiting root login, you could also extend the period of time an attacker needs in order to perform privilege escalation.
Historically, many administrators used bastion hosts (basically gateways) in order to enter a network, and then jump to boxes afterward. Using a high secure distro (e.g. OpenBSD) as a bastion host, in conjunction with different operating systems provides defense-in-depth and defense-in-diversity (one vulnerability less likely to compromise entire network).
Please consider having an out of band connection to your network also, such as a serial concentrator, serial switch, or other. This will provide backup availability of your administrative interface if required.
Because I am paranoid and in security, I'd be more likely to use an IPSEC VPN or Type1 VPN, and then run SSH on top of it, with no internet exposure of SSH whatsoever. Putting the VPN on your network hardware can dramatically simplify this in implementation.