Exporting my key as a PEM file

[Brian Berry]

I don't know about making it policy in a corporate environment that has a nice strong firewall but I like to do it at home.
I'm not the only one that likes to do it. Here is a quick google search. The whole reason I started doing it is that I was behind a really lousy router and was being hacked within 2 seconds of a fresh install. At the time I didn't know much about hardening a system before connecting to the internet but then one day I found the whole disable root by /etc/shadow and all my problems disappeared. You guys are really putting me through the wringer over this. I by no means tell you goto work and make everybody part of the sudo group and then disable the root password in /etc/shadow. This is more of a one or two machine security solution. Anyway here are search terms and a link to a google search.



etc shadow disable root password best practice

https://www.google.com/search?q=etc...ome..69i57.13934j1j7&sourceid=chrome&ie=UTF-8

 

[Brian Berry]

I'm not the only one that considers this a best practice. The whole reason I started doing this is that at the time I didn't know much about securing a computer before connecting to the internet and I genuinely being hacked within 2 seconds. Then I finally googled this solution and all my problems went away. I don't suggest you go into a corporate environment behind a nice firewall and make everybody part of the sudo group then disable root in shadow but at home, this has definitely worked for me. Here are some search terms and a link to other people that like to do this at home at the very least.


etc shadow disable root password best practice

https://www.google.com/search?q=etc...ome..69i57.13934j1j7&sourceid=chrome&ie=UTF-8

 

[Brian Berry]

oops sorry about the double post my fault.

 

[svim]

A suggestion if you want to seriously lock down your Linux install is to install and run this 'linis' utility. While utilities like rkhunter and chkrootkit are more reactive measures that will help you detect being compromised after-the-fact, linis is a proactive way to harden your install to minimize exploits from gaining access.
Running a scan as root will result in a summery of issues to look into, along with links pointing to more detailed explanations, plus an expansive log (lots and lots of verbage) in /var/log/lynis.log; you can do a scan as a general user but this will only result in a less practical, non-privileged summary, with its log in /tmp

https://cisofy.com/lynis/
https://en.wikipedia.org/wiki/Lynis

Apologies to @Greum for the way we've hijacked your thread away from your original query.

 

[Brian Berry]

Thanks for the links I'll check it out.

 

[svim]

I'm not the only one that considers this a best practice. The whole reason I started doing this is that at the time I didn't know much about securing a computer before connecting to the internet and I genuinely being hacked within 2 seconds.

That's more of an indicator there's a worm somewhere in your home LAN, some otherwise idle binary that's designed to spread itself across a local network.

As for this practice of disabling root actually being a common one, it isn't likely as it's so rarely referred to elsewhere.

 

[Deleted User]

You guys are really putting me through the wringer over this

Not really. People are merely correcting mis-information. Sorry but you can't come out with statements like a system will be hacked in 2 seconds with the root account being enabled. That is not true.

 

[Brian Berry]

So me reporting an experience and it's solution is mis-information? I think I described a reason to take the root account very seriously.

 

[Deleted User]

So me reporting an experience and it's solution is mis-information? I think I described a reason to take the root account very seriously.

No problem reporting an experience. If you can describe exactly what caused the problem, and how you fixed it, that would be useful.

I would still like to know why having a root account enabled is such a security risk, because in all my years of being a professional systems admin, we never disabled the root account. And this was before we had things like sudo, which adds even more security to gaining access to root. I mean nobody even needs to know the root password these days.

Like I said, having a strong and secure password, not just for root, but any user account is of great importance, and a lot of security breaches are through cracking insecure passwords.

So if you can post a definite article describing what the security issue is, rather than a bunch of Google links, that would be great. I always remain open minded.

 

[23tony]

Thanks, Brian, but no thanks.

I not only don't disable root, I set up all my computers to allow root log-ons. And I allow su - which I use frequently.

My passwords are strong, from the ground up, i.e., starting with my router.

Please don't think your suggestions are bad or anything like that. It's just that I've used *nix since 1985--with ZERO security problems, and off-site backups--and kind of know what I'm doing.

I haven't run a linux-based PC yet, but my servers (that I've been running for ~15 years) have root enabled - but direct login to root is limited by key, so only a handful of computers under my control can log in. It would pretty much require stealing one of them to get in. (that said, I won't claim to be a linux expert...)