I'm having a debate with someone right now regarding root passwords:

1. I say that root passwords should be different across all servers (say if you have more than 20 servers).

2. Other person says its no more secure to have them set differently....and its impossible to keep track of root passwords if you have them all separate.

For those of you who have more than a few servers, I'd love to be told I'm right....or wrong. :D

--Tina

Well you are damn wrong!!!

..
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

B'cos you are debating with an idiot!! :p

Originally posted by RaviSharma
Well you are damn wrong!!!

B'cos you are debating with an idiot!! :p

Thanks! :D


How many servers do you have and how do you manage to keep track of all the root passwords?

--Tina

If you are working with linux I would suggest keeping them different and rolling out changes via an RPM.

You can also develop a pattern of 11 character passwords that one few should know.

Originally posted by datums
If you are working with linux I would suggest keeping them different and rolling out changes via an RPM.

You can also develop a pattern of 11 character passwords that one few should know.

RPM?

--Tina

We have around 50 servers. Each one has its own root password. We have one master server that is allowed direct ssh access without password. The master server is tightly controlled and locked down. A handy reference card with passwords written on it is used in the event we need to login as root directly from a server. Keeping them different is a very very good thing to do. It's the whole all your eggs in one basket thing. :)

- John C.

Thanks John. I've always respected your input. Especially since you almost always agree with me! haha.

Anyone else? Anyone DISAGREE with me? Seriously, I would love to hear opposing points of view.

--Tina

Here is a scenario i have seen. Attacker root compromises a server, grabs the shadow file uses JTR to crack the root password. Just so happens this host has all the hostnames listed on their website, attacker trys the pass word on the host name. blamo root access gained on all servers due to password being the same.

Thanks Tom. :)

We have 93 servers, each one has a different password.

How do we keep track of them? Fairly easy, I remember them and I have a CD on a safe box with every single root password (yes, I'm a little bit paranoid).

However we have a "bouncer" that allows us to login to any of our servers (as someone mentioned before), that bouncer is inside our LAN and it has to send the specific RSA key along with an IP checker installed on every server, so it's almost impossible to fake that IP and get a root prompt.

if it's a 20 chars password it's very unlike to be guessed by bruteforce...
but it could happen that someone find it in other way (man-in-the-middle attack or even keyloggers - many admins secure their server, but don't secure the client they use to connect to the server) so I wouldn't set the same password on all servers
but it's probably nice to use something like "one pattern for each 10 servers"

if you have 20 servers, you could use, for example:
a9lz1mantz
a9lz1mbntz
a9lz1mcntz
pattern for the first 10 and
iz2mnz5ksl
iz2moz5ksl
iz2mpz5ksl
for other 10

of course you could use something different from alphabetic order like getting a phrase such as "im securing my server" and split each 3 letters in the middle of the pattern
ims in one, ecu in other, and so one

at least you'd need to write down just the 2 patterns... and even if someone stole this paper, wouldn't know how to complete it ;)

I know someone who uses his ex-girlfriend's names with their birthdates and "modifying" them.

Let's say that one of the exgfs is called Pamela, and her birthday is on September 12th, he would use something like 09@PaMELa12!

That's a hard to guess password as it includes:
1. Lowercase letters
2. Uppercase letters
3. Numbers
4. Non alpha-numeric symbols (! and @)
5. Is 13 character-long

A cracker would take about 3 months to guess it and he would be able to see the attemtps on his logfiles.

Originally posted by SEATi
I know someone who uses his ex-girlfriend's names with their birthdates and "modifying" them.

Let's say that one of the exgfs is called Pamela, and her birthday is on September 12th, he would use something like 09@PaMELa12!

That's a hard to guess password as it includes:
1. Lowercase letters
2. Uppercase letters
3. Numbers
4. Non alpha-numeric symbols (! and @)
5. Is 13 character-long

A cracker would take about 3 months to guess it and he would be able to see the attemtps on his logfiles.

Different one for each server?

--Tina

Originally posted by AH-Tina
Different one for each server?

--Tina


Maybe hes a playa =)

Originally posted by SEATi
I know someone who uses his ex-girlfriend's names with their birthdates and "modifying" them.
(...)

the problem with this technique is that, for each new server, you need to have a new ex-girlfried :(

j/k

Originally posted by Lem0nHead
the problem with this technique is that, for each new server, you need to have a new ex-girlfried :(

j/k

Well he just has about 7 servers, so that's fairly easy. It wouldn't work for me, as you can be sure that I haven't had 93 gfs LoL

Diffrent password on each computer, server, e-mail address, helpdesk, forums etc.

On some low level forums, I may use same passwords, but generally I always try to have diffrent passwords all the time.

We have different ones for each server and, they're so hard to remember we have to write them down! All the staff are like "DAMN You have some good passwords" LOL...

Greetings:

We manage several score of servers; each has their own root password; and almost all have their own unique underprivaledged user id and password (disabled direct root login).

We keep information stored encrypted off the net and off the network in terms of access.

Thank you.

Anyone who says root passwords should stay the same on all servers really has no business in the hosting industry. That's the most insecure way to run your company. Steve brought up the most common reason why right there. Hacker breaks into your server, grabs shadow, runs jtr against it, and gains root access to each and every one of your servers.. OOOOPS!

Believe me, I understand the argument about all passwords being hard to remember, in fact, I'm there quite a bit of the time. The solution I've implemented? DSA Keys. Admittedly, you can't get into WHM/insertyourcontrolpanelhere with a DSA key, however most tasks don't need to be done through WHM/insertcontrolpanelhere and can easily be done from the command line. This has solved every problem I've seen as far as remembering passwords, now I just have to worry about remembering ip's ;)

I do also know a company that uses MD5 generated passwords, they can be hard to remember, but trust me, once you use them for a month you get used to them and remember them easily.

After 2 months I still remember 2 of their root passwords :)

go beat your friend over the head with a rubber sausage for being so stupid. diff pass for each machine - always!

A server is does pretty good to us, we should allow him unique password. :)

Originally posted by JohnCrowley
We have around 50 servers. Each one has its own root password. We have one master server that is allowed direct ssh access without password. The master server is tightly controlled and locked down. A handy reference card with passwords written on it is used in the event we need to login as root directly from a server. Keeping them different is a very very good thing to do. It's the whole all your eggs in one basket thing. :)


As John says, SSH Keys should be used for root logins. I'm a firm believer in disabling password logins all together. You will still need the actual root password to access WHM (unless you want to create a WHM account with root access, but I don't think that's needed)

All of our staff uses DSA/RSA Keys to SSH in. Each of our servers have a different root password which is changed weekly as well.

We've also done the mast server thing, either works. But I definitely recommend using SSH keys.

Also for you dedicated server providers, this means that when your customers change their root password, and than ask for support, or you need to upgrade something, you can still do it :)

(This is of course only for the managed boxes, unmanaged you shouldn't need in.)

I also think the passwords should be encrypted in a database, such as the KeePass Password Safe (http://www.hostingtech.com/?m=show&id=275) and in a zip file that's password protected, or worse yet just a text file :)

We have a password Excel file on a CD-RW (printed out as a backup) of all of our servers' passwords for all the different software on each server plus we have direct root login disabled and have completely different passwords for the underprivileged users, etc. These passwords are rotated every couple weeks. I only have a few servers so it's not too hard to rotate.

We use a diffrent root password for every server, totaly diffrent, there all totaly random and stored on paper not on the computer.
So if any one wants my root password they will have to search my office.

Or no password! They'll never guess that.. :D

But yes, I agree with using DSA keys..

Originally posted by thelinuxguy
Here is a scenario i have seen. Attacker root compromises a server, grabs the shadow file uses JTR to crack the root password. Just so happens this host has all the hostnames listed on their website, attacker trys the pass word on the host name. blamo root access gained on all servers due to password being the same.

Show me a case of this happening where

1. There was a *GOOD* password set for the root. (no simple words, a real password)

2. shadow using MD5 hash rather than crypt

3. Direct remote login to root not permitted.

SSH keys are all great and wonderful, but last I checked 'su' wants a password and doesnt know anything about ssh keys.

SSH keys are all great and wonderful, but last I checked 'su' wants a password and doesnt know anything about ssh keys.

And your point?
Disable root login with password, require strict DSA key validation, and you don't NEED a root password for ssh. This is how I have my personal servers setup. Accessing the server directly through ssh as root is NOT bad if it's done right and correctly. Passwords, yes, they can be brute forced, and denying root login w/ password is ALWAYS recommended. DSA keys are different, unless you actually have others sharing your computer that might know WTH a DSA key is and how to use it.


1. There was a *GOOD* password set for the root. (no simple words, a real password)

2. shadow using MD5 hash rather than crypt

3. Direct remote login to root not permitted.


JTR can crack damn near anything, in fact, I've seen it crack MY passwords (or come close), and mine are not exactly easy to crack. What you don't understand is that JTR can run for days, learning as it does, and crack almost every one of your passwords, the longer you let it run.

2. MD5 is not perfect, no matter what you think, it is crackable. Give it time and someone, somewhere will publish something towards cracking md5 based shadow files. It's harder to do than crypt() admittedly, but it IS crackable (just google for crack md5 password, you'll see the utilities out there already designed to do that for numerous applications).

3. Disabling root logins IS an option, but it's not usually a viable option, there's another step involved that takes more of a user's time and effort to manage the server, and the time of a server admin is too precious to waste like that, IMO. Turning off password access = Good, allowing DSA root access = Smart. Again, passwords can be brute forced, quite easily, and the same scenario exists. Once you get that first password, you're in the system. Not just ONE system but ALL systems, each and every one of the systems.

Your recommendation:
Require a user login to get to root. While this is good, it's NOT secure. With this user login, I could export shadow to my server, grab a copy of JTR and have fun. Again, once root's cracked, it's pretty much a gone issue.

Security is about layers, the first layer, as anyone knows is password protection and rotation. This is a given to any experienced administrator. No matter HOW safe you "think" you are, you are NEVER ever 100% safe. Even the most experienced of admins get hacked, it's a fact of life. How you learn and address those situations is another story entirely.

As many others have said, and affirmed repeatedly. Having 1 password (no matter how good) for numerous servers (no matter how many) is a bad bad thing, and an insecure practice.

Greetings:

"Disabling root logins IS an option, but it's not usually a viable option, there's another step involved that takes more of a user's time and effort to manage the server, and the time of a server admin is too precious to waste like that, IMO."

In my opinion, it adds less than 15 seconds to a 60 secord or less process; and I would rather spend less than 60 seconds total for safer servers in terms of access method.

Please note I do agree with your method; I just don't agree on the time issue ;-)

Thank you.

Why are people still sharing root passwords with staff? What sort of audit trail do you have then?

Each server should have a different root password, ideally not based off the same algorythm (!2AC09@aas #2AC09@aas $2AC09@aas %2AC09@aas etc), these should be stored in an encrypted DB (See my STRIP comment)

Give each staff member a Palm Pilot, install the STRIP application on there (encrypts password with AES so they are not going to be cracked)

Configure sudo on the servers so your staff must run privileged commands through the sudo wrapper. sudo logs the command, who executed them and when it was run.

Once you've done that, break any staff members fingers who writes a password on a post-it note, sheet of paper or stores them in a clear text file on their desktop, in their home directory or heaven forbit they send them through email or instant messenger!

We just set all our passwords to 'abc' as it's nice and easy to remember.;)

No, really we're of the school of thought that likes different passwords everywhere important. We have a 'system' by which those in the know can figure out the password, but it's hugely complicated and still results in passwords that are a combination of letters (upper & lower) and numbers.

Tina, let your 'someone' know they have no idea what they're talking about ;)

We use diff root passes for each box we operate. It is just plain silly not to.

Originally posted by eBoundary

Give each staff member a Palm Pilot, install the STRIP application on there (encrypts password with AES so they are not going to be cracked)

You could also give each employee a USB flash drive (I bought a 256mb Sandisk Cruzer for $29 yesterday) and put KeePass (http://keepass.sf.net) on it. Everything's encrypted, and you can just send out new databases whenever there is updates...passwords are always encrypted.

If you want to get very secure, you could buy a flash drive with fingerprint security.

Originally posted by nickn
You could also give each employee a USB flash drive (I bought a 256mb Sandisk Cruzer for $29 yesterday) and put KeePass (http://keepass.sf.net) on it. Everything's encrypted, and you can just send out new databases whenever there is updates...passwords are always encrypted.

If you want to get very secure, you could buy a flash drive with fingerprint security.

Problem with relaying on OS dependant software like KeePass is that your relying on everyone using (and always using) windows.

To make the USB drive soluution more portable you could simply use PGP keys to encrypt/decrypt the text file, spreadsheet etc on the keys and distribute them that way, this also takes away the need to have a password on the database :)

I like STRIP on my palm because its fast, I can have multiple categories and accounts per server in an extremely easy to navigate interface. It's also not dependant on the desktop OS.

Obviously as always some things will work better for some people and not others, but both are very viable solutions.

I just hope that the one that says that it's safe to use the same root password isn't a webhost or even worse, a managed dedicated servers provider LoL