Root user password

sbthomas · January 9, 2015, 7:22pm

I have enabled ssh access and understand I am to use the SSH USER to connect remotely.

However, in /etc/shadow, the root account has a password set, and according to /etc/ssh/sshd_config is allowed to log in remotely. I am concerned that this password is possibly set on all devices and could be used if that password is discovered. Does anyone know if this is the case?

ArMak · January 9, 2015, 11:41pm

Hi and welcome to the WD community.

I have not tried this, lets see if another user can give you some tips and some information this matter.

Cybernut1 · January 10, 2015, 6:33am

sbthomas - You’ve just made things easier for hackers by saying aloud the SSH login name here. I have no idea why you had to explicitly say it aloud. Those who own an EX2 can find the username without you stating it. Do you have any idea how damaging your post is? Sigh…I’ve been avoiding ever stating the login name out on this forum board and then here you come along blithely stating it away right there on your very first post. I have SSH activity logging turned on and cloud access turned on for the past six months, so I have been seeing the countless hack attempts on my device daily from China, etc. And the main reason I’ve so far been safe is because the hackers don’t know that root login doesn’t work and their brute force attempts have been primarily used against the root login instead of the login that does work. And now here you come along and give that vital info away with your very first post. If anyone enables dashboard cloud access on the EX2, they already make the device name visible to anyone accessing their IP on port 80 from outside…so hackers can easily know that it’s a WD device…and thanks to your post, you’ve just narrowed the SSH login username for them.

Is there anyway I can plead you to change edit the wording of your post to remove the direct reference of the valid username and just use a reference to it? It would be highly appreciated. Edit is available from the dropdown menu on the top-right corner of each post’s text area. Please use indirect reference, if you really want to keep the SSH username a secret from random folks browsing through this forum for info.

david001 · January 10, 2015, 8:33am

Hi

sometimes we need to use accees wd remotly and i think ssh is a safer way, but as you said there are too many brute force and network sniffing attacks , and we are worry about the security of the device specially after the shellshok bug

i think it would be better that WD cloud has an internal firewall like iptable to set access rules inside the device .

if you agree with me please vote here

sbthomas · January 10, 2015, 4:05pm

CyberNut - I am a computer security professional and completely disagree that mentioning the ssh username in this forum makes your device any more vulnerable. The username is standard in all linux distros and I have had brute force attempts utilizing all default l inux accounts for years. That being said, listing the ssh username here certainly does not make things more secure and i will edit my post to remove the name of the user.

If you are really concerned about security, you should be paying attention to the point of my original post. The root account IS allowed to ssh in to the NAS and has a password set. A password which I believe is not set by the end user and may be standard across devices. You should be confident in the complexity of your ssh user password. What makes me uncertain is I do not know the root password. I was hoping someone on here may have input. I certainly wouldn’t open my WD2 to the internet without resolving this question.

david001 - A local firewall enabled on the device is a great idea. Although restricting by IP is difficult, but perhaps if they implemented a geolocation option to disallow all attempts from foreign countries… Good feature request.

Cybernut1 · January 11, 2015, 11:13am

sbthomas wrote:

CyberNut - I am a computer security professional and completely disagree that mentioning the ssh username in this forum makes your device any more vulnerable. The username is standard in all linux distros and I have had brute force attempts utilizing all default l inux accounts for years. That being said, listing the ssh username here certainly does not make things more secure and i will edit my post to remove the name of the user.

If you are really concerned about security, you should be paying attention to the point of my original post. The root account IS allowed to ssh in to the NAS and has a password set. A password which I believe is not set by the end user and may be standard across devices. You should be confident in the complexity of your ssh user password. What makes me uncertain is I do not know the root password. I was hoping someone on here may have input. I certainly wouldn’t open my WD2 to the internet without resolving this question.

david001 - A local firewall enabled on the device is a great idea. Although restricting by IP is difficult, but perhaps if they implemented a geolocation option to disallow all attempts from foreign countries… Good feature request.

sbthomas - I appreciate you editing your post to remove that username. Thank you.

But I want to say a few things. I agree on your point that I should derive confidence on the complexity of my ssh user password. That is true. I also agree, that there is a root login whose password is probably the same across this product. But I am certain WD has made it enormously complex to crack unless someone uses a sustained brute force attack lasting a very long period of time. So yes, that risk does exist but that risk, in my humble opinion, is quite likely much smaller than a user who creates maybe not as complex a password for their login and that username becomes available here. Yes, I know it’d be the user’s responsibility at that point to create a strong enough password, but users vary in their tech and security knowledge and skills and therefore not all users can be expected to think about the complexity of the password.

However, I disagree on a couple things:

First, a very diligent and detemined hacker who can figure out what the device they are trying to break-in is, could go into the product’s forums (here). And if it brings them here, you can be assured they would search for thread topics just like this one and if in there they find the right username, it just makes their task much easier. So I disagree with your assessment that mentioning the username here does not make it any more vulnerable. Yes, the risk is relatively small…but it is there. But I appreciate that you did remove it from your post.

And second, the ssh login username is not a standard across all linux distros. I have been using Oracle linux for years now, which is a fork of the Red Hat Linux and it does not have that username. I also have not encountered that username in many other linux distros that I have used occassionally. In fact, that username has been attempted by less than 0.01% of all the attempts on my EX2…because mostly they are trying to get in as root. They do use plenty of other usernames but the SSH username used for EX2 is one they almost never try. But if they did know that it is a valid username, my guess is that username will jump to the top of their list.

The other thing that I am a bit surprised about is that you as a security pro think that firewalling foreign countries using geolocation would make much of a difference. I will just point you to this SSH log listing from my own EX2 that was captured over 3 days in December → http://pastebin.com/mdG9yAGb

I have removed one column from the log (to hide crucial info) but everything else is there. This will show you the mind-boggling breadth of countries in which hackers have access to compromised computers. If you look at the sustained attack that was launched by one hacker from the beginning of the log, you’ll see that many of the computers are located in US (and plenty from outside as well). And that is a common occurence today. From your line of work you would be already aware of this fact…that a lot of US companies are playing the unwitting role of accomplices to foreign attacks thanks to countless compromised computers. And the attacks shown in the log probably does not include many other computers in the hacker’s arsenal because in the preceding several months, I have been manually blocking in my router’s firewall lots of IP address chunks (chunks of 65K addresses for each unique IP I would see in my logs… e.g. if I see 123.123.110.110, I’d block every IP beginning with 123.123, for a total of 65K addresses per chunk). So these log entries were from a sustained attack by almost certainly one attacker that lasted for several days (I only included 3 days) from a global bank of zombie computers that the hacker has access to, barring the ones that I had already blocked in my router’s firewall.

Anyway, I appreciate your co-operation with my request.

cyberclark · March 13, 2015, 12:43am

I have 3 wdtv live units and they ask for user and password. Nothing in the boxes they came in give a clue.

I guess private posts not allowed here but WD have my email etc they could send me a post.

My problem lies with Windows 8.1 it won’t see the hard drive attached to the box. I was thinking if I could get the password etc and fill that in the computer might be able to see the attached disk on the net. Any help appreciated.

John

braindongle · June 10, 2020, 12:41am

Way to go, sbthomas, the secret is out. Now people know to try to login as “root” when they want to own a Linux machine.