- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: root login
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-18-2013 10:00 AM - last edited on тАО11-18-2013 06:34 PM by Maiko-I
тАО11-18-2013 10:00 AM - last edited on тАО11-18-2013 06:34 PM by Maiko-I
root login
We recently had an authenticated scan (inside the firewall) run against our HPUX servers which ended locking up the root account. The scan attempted to login as root many times which caused the account to lock. I noticed if I try to login as root via ssh I get the banner display but the login attempt fails as expected. Do you know of any additional security configurations that would prevent root login attempt from even getting тАЬin the doorтАЭ. We should only have root login at the console or via su. Any suggestions you have would be greatly appreciated.
I have the following configurations:
In /etc/securetty
console
In sshd_config
PermitRootLogin no
P.S. This thread has been moved from HP-UX > System Administration to HP-UX > security. - HP Forum Moderator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-18-2013 02:31 PM
тАО11-18-2013 02:31 PM
Re: root login
There is no way to tell if a login attempt is from a security scan or from someone trying to break in. One (bad) way to prevent this is to increase the number of failed login attempts to a large number such as 500. But this defeats the purpose of a retry limit. Another solution is to install sudo and authorize certain trusted sysadmins to run root-only commands without su. That way, the damage can be repaired easily.
If you use ssh for logins and scp for file copies, you can disable ftp, telnet, remsh, rcp, rlogin and rexec in inetd to increase your security.
But the real issue is that a primitive security scan that attempts root login attempts can ruin an entire data center with root lockouts, regardless of whether it is Linux, HP-UX, Solaris, AIX, etc. For production systems, the security department, external auditor or consultant must craft security scans that do not cause this type of damage.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-09-2014 08:08 AM - edited тАО01-09-2014 08:13 AM
тАО01-09-2014 08:08 AM - edited тАО01-09-2014 08:13 AM
Re: root login
Since there is no way for the probe to distinguish between a failed login attempt and a login that is locked out, from a business perspective I think it's a practical approach to use a cron job to periodically unlock accounts that have been locked out. I use userdbget -i -a "auth_failures"' to detect accounts that are past the range set by AUTH_MAXTRIES, then userdbset -d -u {account} auth_failures to clear it. After doing so I post a log entry.
- Tags:
- userdbget