Home » Why is root login via SSH so bad that everyone advises to disable it?

Why is root login via SSH so bad that everyone advises to disable it?

Solutons:


Why root over SSH is bad

There are a lot of bots out there which try to log in to your computer over SSH.
These bots work the following way.

They execute something like ssh root@$IP and then they try standard passwords like “root” or “password123”.
They do this as long as they can, until they find the right password.
On a world wide accessible server you can see a lot of log entries in your log files. I can go up to 20 per minute or more.

When the attackers have luck (or enough time), and find a password, they would have root access and that would mean you are in trouble.

But when you disallow root to log in over SSH, the bot needs first to guess a user name and then the matching password.
So lets say the list of plausible passwords has N entries and the list of plausible users is M entries large. The bot has a set of N*M entries to test, so this makes it a little bit harder for the bot compared to the root case where it is only a set of size N.

Some people will say that this additional M isn’t a real gain in security and I agree that it is only a small security enhancement. But I think of this more as these little padlocks which are in itself not secure, but they hinder a lot of people from easy access. This of course is only valid if your machine has no other standard user names, like tor or apache.

The better reason to not allow root is that root can do a lot more damage on the machine than a standard user can do. So, if by dumb luck they find your password, the whole system is lost while with a standard user account you only could manipulate the files of that user(which is still very bad).

In the comments it was mentioned that a normal user could have the right to use sudo and if this user’s password would be guessed the system is totally lost too.

In summary I would say that it doesn’t matter which user’s password an attacker gets. When they guess one password you can’t trust the system anymore. An attacker could use the rights of that user to execute commands with sudo, the attacker could also exploit a weakness in your system and gain root privileges. If an attacker had access to your system you can’t trust it anymore.

The thing to remember here is that every user in your system that is allowed to log in via SSH is an additional weakness.
By disabling root you remove one obvious weakness.

Why passwords over SSH are bad

The reason to disable passwords is really simple.

  • Users choose bad passwords!

The whole idea of trying passwords only works when the passwords are guessable.
So when a user has the password “pw123” your system becomes insecure.
Another problem with passwords chosen by people is that their passwords are never truly random because that would then be hard to remember.

Also it is the case that users tend to reuse their passwords, using it to log into Facebook or their Gmail accounts and for your server.
So when a hacker gets this user’s Facebook account password he could get into your server. The user could easily lose it through phishing or the Facebook server might get hacked.

But when you use a certificate to log in, the user doesn’t choose his password.
The certificate is based on a random string which is very long from 1024 Bits up to 4096 Bits (~ 128 – 512 character password).
Additionally this certificate is only there to log into your server and isn’t used with any outside services.

Monitoring root access

The comment from @Philip Couling which should have been an answer:

There’s an administrative reason for disabling root. On commercial servers you always want to control access by person. root is never a person. Even if you allow some users to have root access, you should force them to login via their own user and then su – or sudo -i so that their actual login can be recorded. This makes revoking all access to an individual much simpler so that even if they have the root password they can’t do anything with it. – Philip Couling

I would also add that it allows the team to enforce the principle of least privilege, with a proper sudo configuration (but writing one sounds easier then it is). This enables the team to distribute uncritical better, without giving away the key to the castle.

Links

http://bsdly.blogspot.de/2013/10/the-hail-mary-cloud-and-lessons-learned.html

This article comes from the comments and I wanted to give it a bit more prominent position, since it goes a little bit deeper into the matter of botnets that try to log in via SSH, how they do it, how the log files look like and what one can do to stop them. It’s been written by Peter Hansteen.

These could be some of the reasons why direct root login should not be allowed.

  • Bruteforce attempts. Direct root login could result on more damage on a successfull bruteforce attack.
  • Missconfiguration on “passwordless” SSH keys(human error happens) could expose your machine to the internet

But this is just the TIP of the iceberg. You need to configure other restrictions and configurations like:

  • Change the default port(22)
  • Strong Passwords and Passphrase
  • Disable Host-Based Authentication
  • Create a List of allowed users
  • Configure idle Timeout
  • Force SSHv2 protocol
  • Disable Empty Passwords
  • Use fail2ban as a measure agains bruteforce
  • Log everything
  • Configure SSH Keys, and trust only on public keys at .ssh/authorized_keys

You’re right that root username and X+Y symbol password is cryptographically at least as secure as an X symbol username + Y symbol password. In fact it is even more secure, cause people’s names are easy to guess (bots may just try john, mike, bill, etc… and btw: that’s what many of them do instead of trying root). And you’re especially out of luck if it’s a targeted attack, cause if someone wants to break a company’s server it wouldn’t be a problem to find out the name (nick) of the sysadmin.

And as soon as the attacker has access to the account the sysadmin uses for ssh logins (and then uses su or sudo to do his tasks) he can infect that user’s session with a program which will send the attacker root password when the sysadmin types that the next time.

It’s any type of root logins which are (or should be) considered bad practices from security point of view. The “normal” user login -> su/sudo chain adds an audit trail. In plain english: it makes it possible to find out who did what.

A special case may be the one, where only one person has root access. In that case using the additional “normal” user won’t add much value (at least I never could see that value). But anyway – you’re supposed to have a simple user on the system anyway (for non-administrative tasks, running wget, etc 😉 ).

Related Solutions

Joining bash arguments into single string with spaces

[*] I believe that this does what you want. It will put all the arguments in one string, separated by spaces, with single quotes around all: str="'$*'" $* produces all the scripts arguments separated by the first character of $IFS which, by default, is a space....

AddTransient, AddScoped and AddSingleton Services Differences

TL;DR Transient objects are always different; a new instance is provided to every controller and every service. Scoped objects are the same within a request, but different across different requests. Singleton objects are the same for every object and every...

How to download package not install it with apt-get command?

Use --download-only: sudo apt-get install --download-only pppoe This will download pppoe and any dependencies you need, and place them in /var/cache/apt/archives. That way a subsequent apt-get install pppoe will be able to complete without any extra downloads....

What defines the maximum size for a command single argument?

Answers Definitely not a bug. The parameter which defines the maximum size for one argument is MAX_ARG_STRLEN. There is no documentation for this parameter other than the comments in binfmts.h: /* * These are the maximum length and maximum number of strings...

Bulk rename, change prefix

I'd say the simplest it to just use the rename command which is common on many Linux distributions. There are two common versions of this command so check its man page to find which one you have: ## rename from Perl (common in Debian systems -- Ubuntu, Mint,...

Output from ls has newlines but displays on a single line. Why?

When you pipe the output, ls acts differently. This fact is hidden away in the info documentation: If standard output is a terminal, the output is in columns (sorted vertically) and control characters are output as question marks; otherwise, the output is...

mv: Move file only if destination does not exist

mv -vn file1 file2. This command will do what you want. You can skip -v if you want. -v makes it verbose - mv will tell you that it moved file if it moves it(useful, since there is possibility that file will not be moved) -n moves only if file2 does not exist....

Is it possible to store and query JSON in SQLite?

SQLite 3.9 introduced a new extension (JSON1) that allows you to easily work with JSON data . Also, it introduced support for indexes on expressions, which (in my understanding) should allow you to define indexes on your JSON data as well. PostgreSQL has some...

Combining tail && journalctl

You could use: journalctl -u service-name -f -f, --follow Show only the most recent journal entries, and continuously print new entries as they are appended to the journal. Here I've added "service-name" to distinguish this answer from others; you substitute...

how can shellshock be exploited over SSH?

One example where this can be exploited is on servers with an authorized_keys forced command. When adding an entry to ~/.ssh/authorized_keys, you can prefix the line with command="foo" to force foo to be run any time that ssh public key is used. With this...

Why doesn’t the tilde (~) expand inside double quotes?

The reason, because inside double quotes, tilde ~ has no special meaning, it's treated as literal. POSIX defines Double-Quotes as: Enclosing characters in double-quotes ( "" ) shall preserve the literal value of all characters within the double-quotes, with the...

What is GNU Info for?

GNU Info was designed to offer documentation that was comprehensive, hyperlinked, and possible to output to multiple formats. Man pages were available, and they were great at providing printed output. However, they were designed such that each man page had a...

Set systemd service to execute after fstab mount

a CIFS network location is mounted via /etc/fstab to /mnt/ on boot-up. No, it is not. Get this right, and the rest falls into place naturally. The mount is handled by a (generated) systemd mount unit that will be named something like mnt-wibble.mount. You can...

Merge two video clips into one, placing them next to each other

To be honest, using the accepted answer resulted in a lot of dropped frames for me. However, using the hstack filter_complex produced perfectly fluid output: ffmpeg -i left.mp4 -i right.mp4 -filter_complex hstack output.mp4 ffmpeg -i input1.mp4 -i input2.mp4...

How portable are /dev/stdin, /dev/stdout and /dev/stderr?

It's been available on Linux back into its prehistory. It is not POSIX, although many actual shells (including AT&T ksh and bash) will simulate it if it's not present in the OS; note that this simulation only works at the shell level (i.e. redirection or...

How can I increase the number of inodes in an ext4 filesystem?

It seems that you have a lot more files than normal expectation. I don't know whether there is a solution to change the inode table size dynamically. I'm afraid that you need to back-up your data, and create new filesystem, and restore your data. To create new...

Why doesn’t cp have a progress bar like wget?

The tradition in unix tools is to display messages only if something goes wrong. I think this is both for design and practical reasons. The design is intended to make it obvious when something goes wrong: you get an error message, and it's not drowned in...