By way of metaphor, most people’s houses aren’t highly secure against burglary and so most burglars are skilled at identifying weakly protected houses. Is a security light good protection? No, but it’ll put a lot of them off, and that’s what we’re aiming for here. We can inconvenience the lazy attackers enough for them to go elsewhere even with trivial and easily-breakable measures like sudo.

Interesting post though, it’s good to think about these things.

The script kiddies have collections of kernel exploits etc, so it would be quite possible for them to have an exploit that replaces sudo with a shell function that exports the password elsewhere.

As an anecdote I’ve often seen servers which have technically been compromised, in that a user account (such as ‘apache’) has been breached, but the attacker has only tried to run some pre-written scripts and shown no imagination in finding weaknesses specific to the server itself. Blocking most outbound ports at the firewall is often enough, so that they can’t run an IRC server, for example.

You quite rightly discuss how to make a server the most secure, much as how someone could talk about making their house more burglar-proof. The truth is that most attackers, both physical and virtual, are lazy enough that even weak protection is good enough for a majority of cases.

So yes, I fully agree with what you say – sudo isn’t much of a protection at all against someone who knows Linux well – but it is good enough to limit damage from a non-determined hacker.

There is some discussion on this post at the above Reddit page.

http://www.usenix.org/event/hotsec07/tech/full_papers/florencio/florencio.pdf

There has been research on this matter (see the above URL). In summary the entropy in the user-name does do some good if you have a large number of accounts (such as an Internet banking service for a major bank) such that a multiple attempt lock-out doesn’t work. But if you have a small number of accounts (less than 10,000 or so) and any sort of limit on the rate of attempts per account then the overall scanning rate will not lead to any significant risk of attack.

The mechanisms for securing Internet banking are quite different from those for securing servers for sysadmin login.

Besides, there is no reason why the account for UID==0 needs to be named “root”. You can easily configure a system with account “root” locked and have another name for the account that is really used for UID==0 access.

Using root removes depth. You can use other tools such as denyhosts to block attacks but one should be doing that anyway.

1: ssh as root (yes)-> password cracker -> pwn

2: ssh as root (no)-> user dictionary -> find valid user (yes) -> password cracker -> pwn

Plus you have a one liner at the end of your article about not using sudo in it’s default configuration, well I would argue that if you are using sudo in its default configuration you shouldn’t be responsible for security of systems anyway.