GeodSoft logo   GeodSoft

Ten Practical Security Steps
Dual Remote Login

7. Make it take two difficult passwords before administrative access can be attained remotely (either over a network or via dial up access).

This may only be achievable on UNIX systems. Allow root or administrative logons at the local system console only. Restrict access to su or sudo (or any other program that allows a user to change their status to an adminstrative user) to those users who are authorized to use the administrative password and be sure they use strong passwords with their personal accounts.

It's often fairly simple to get some or even many user names for a system. Finger still runs on some systems. If a web site lists staff e-mail addresses or has a staff list, a reader can likely guess user accounts for at least some system. On nearly all systems with many users, some will have bad passwords. If telnet is not needed and has not been turned off or blocked by a firewall, getting on a system could be as simple as telneting, entering the first part of an e-mail address or simple variations on staff names and guessing at a few passwords. Once this toehold has been gained, the usual setup will let any user use su. Though the attempts will be logged, if an intruder has already gotten this far by the methods described, no one is looking at su logs. By entering all the common variations on admin, variations on company name and some of the more common passwords, it's possible that root access could be gained. Simple username and password guessing remains a common means by which systems are compromised.

If the use of su, sudo and similar programs is restricted to administrators in the wheel or security user groups, who are authorized to use the root password, then the population is reduced from perhaps dozens or even thousands on some systems to a few who are responsible for the system and should be choosing strong passwords for themselves. If just the password step for IT staff and this step is followed, even with no firewall, telnet running and open to the entire Internet and a huge user population all with horrible or even blank passwords, no one is going to gain root access just by guessing passwords. To do so would require getting two passwords that are beyond the capabilities of password guessing programs.

The preceding statements are in no way intended to suggest the two steps are sufficient, only that they will stop one common avenue of attack. The open network described above, almost guarantees the system will be cracked by other means.

If passwords are transmitted in plain text over network segments that may be sniffed, forcing root to use two passwords may not provide the hoped for level of security. Actually, if someone is actively sniffing a segment between the administrator and the remote administered machines, plain text administrative passwords make it highly likely your systems will be compromised. Firewalls may make it harder with the right source restrictions. Because the sniffer is between your systems, has administrative access on their machine (to run a sniffer), will have your admin passwords and can use network techniques such as session hijacking that are typically not available, expect your systems to fall. If any remote administration of your systems involves the use of plain text passwords (telnet), your systems cannot be considered secure, regardless of all other measures you may take.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
How-To >
10 Security Steps >

What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.