dickon wrote: ↑
Sat Sep 11, 2021 5:44 pm
Right up until the point that there's a default account with a well-known default password
First action done after installing a PI is creating another user (with strong password), updating secondary groups equal to user pi ones then making this new user sudoer (edit /etc/sudoers, prefer using command "sudo visudo" that'll do syntax check, getting inspired by pi user setup).
After that, I change to new user and pi account is locked & never used again.
sudo passwd -l pi
Then I can go ahead with full system installation, enabling ssh (with fail2ban, now combined with some port knocking to only open ssh port on demand) then forwarding port on router side.... I also enable root account (only local access, no ssh for instance) as this sometimes prove useful when a user account is screwed.
Those who already had a ssh sever accessible from the outside & sometimes have a look at logs knows all default users (pi, but also many ones from network devices, IP cams etc...) are targeted very often: To login you must know a user+pass. Using default user name really makes it easier to break in: That's 50% of needed information (even is password should be more tricky to guess), 100% if default password was not changed.
You can even build a machine with ssh external access and sshd configured to log full login info for fun: In a few days, you'll have a dictionary of user/login used by brute-force scripts!
Problem is if you're hacked by someone using your access as a relay for really nasty business. Risk is having those we call in France "breakfast friends" breaking in your home like wild boars at 6h00 a.m. (legal time in most circumstances, terrorism may bring police anytime)!