3CX Linux ISO - do NOT enable direct root login. Create "admin" user instead.

Discussion in 'Ideas' started by Silly English Kniggit, Mar 19, 2018.

3CX Linux ISO - do NOT enable direct root login. Create "admin" user instead. 5 5 4votes
5/5, 4 votes

  1. Silly English Kniggit

    Joined:
    Sep 13, 2017
    Messages:
    220
    Likes Received:
    87
    By default this is disabled on Debian for security. For some reason 3CX ISO enables this and only creates root user (no "admin" user). This leaves system vulnerable to brute force of the root account (as username is well known). There appears to be no account lockout, but if there was it would also make system vulnerable to DoS of root account via it being locked out.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    simply7 likes this.
  2. newuser1

    Joined:
    Nov 30, 2017
    Messages:
    25
    Likes Received:
    1
    Is there a way to change the user from root to admin this after the system is already up and running?
     
  3. cobaltit

    cobaltit Well-Known Member

    Joined:
    Mar 22, 2012
    Messages:
    1,198
    Likes Received:
    188
    Yep.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. TBWD

    Joined:
    Feb 28, 2018
    Messages:
    12
    Likes Received:
    2
  5. DocTechAZ

    Joined:
    Nov 17, 2017
    Messages:
    94
    Likes Received:
    26
    All you need to do is either disable ssh, or set the option so that it requires a key for root login, noone should be regularly logging into the shell in the first place.

    Also note that changing the SSH port does not fool most of the bots out there or the hackers, just the really dumm ones as far as brute force, the best solution is to have a firewall that supports ACLs in between your 3CX servers and the internet, and do not allow port 22, that way it can only be accessed from inside the network.

    NMAP/ZENMAP can find your SSH running on a different port in a matter of 30 seconds, so never rely on that ever, for any protocol, SSH, RDP, Telnet, etc. Changing the port number is just snake oil.

    Exposing any machine to the internet without a firewall or ACL supporting router is not best practice in regards to security, no matter which account it has setup on it, or how complicated your passwords are.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...