From FreeBSDwiki
Jump to: navigation, search

wheel is a special user group. By default, FreeBSD does not allow direct root login from remote locations, and does not allow any user to su to root - even if the person operating that user account knows the root password - unless that user is a member of the wheel group. This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow su privileges to root from a select few accounts.

If you allow direct root login over ssh, it becomes possible for script kiddies to use automated attack tools like John the Ripper to brute-force or dictionary-attack the password to the root account. With direct root login disabled, your exposure is greatly decreased because any potential attacker would need to already know the name of a user account before even attempting to brute-force a password - and even then, would have to go through the brute force process AGAIN, this time while interactively logged in, in order to get the root password.

With FreeBSD's use of the special wheel group to limit the use of su, security is enhanced even more by ensuring that the attacker would already need to know not only some random username, but a username that is a member of wheel. This also helps mitigate the liability of potentially having clueless shell users who may pick "password" or something equally obvious as their password; even if a kiddie gains shell access by using such an ill-handled account, they at least won't be immediately able to proceed to attacking your root account because your clueless hacked user wasn't a member of wheel.

It is highly recommended that you do NOT make any hyper-obvious names like "administrator" members of wheel, or you will defang much (though not all) of the security benefit inherent in this setup.

Personal tools