topic Re: protecting the root account in Operating System - HP-UX

protecting the root account

zenus — Tue, 13 May 2008 10:36:28 GMT

how can i prevent root account to remote connect?

Re: protecting the root account

Rita C Workman — Tue, 13 May 2008 10:38:56 GMT

One thing you can do is to ensure that there are NO .rhosts or hosts.equiv on your systems...

Rgrds,
Rita

Re: protecting the root account

Steven E. Protter — Tue, 13 May 2008 10:45:37 GMT

Shalom,

You can if you wish disable remote login and require console only login.

http://groups.google.com/group/comp.unix.questions/browse_thread/thread/a9a13d004ff7bf28/1fe6e6401cd58e71

How far you go in this idea depends on how hard you want it to be for you to fix the system when it requires authorized work.

SEP

Re: protecting the root account

zenus — Tue, 13 May 2008 10:45:40 GMT

how and where can i verify that? (.rhosts and hosts.equiv)

Re: protecting the root account

Sajjad Sahir — Tue, 13 May 2008 10:55:28 GMT

u can see like these

more .rhosts
more /etc/hosts.equiv
# more .rhosts

data1 root
data1.domain root
data2 root
data2.domain root

data1 oracle
data2 oracle
data1# more /etc/hosts.equiv

data2 oracle
data2 root
data1 oracle
data1 root
u have to check the entries in .rhosts file and hosts.equiv file u have to check it
in order to part of security

thanks and regards

Sajjad

Re: protecting the root account

Bill Hassell — Tue, 13 May 2008 11:01:42 GMT

The most important features have been mentioned:

Create the securetty file like this:

print "console" > /etc/securetty

Now, no one can login as root unless they are using the system console.

Remove any .rhosts file in root's $HOME directory. Remove /etc/hosts.equiv if you are not using the 'r' commands (rlogin, rcp and remsh) or at least remove any root entry in that file.

The best way to remove root access is to change the root password every day to a random value. No one will know the root password and therefore must use two logins to get root access: one as an ordinary user and then use sudo to run single commands as root.

Also, turn off VUE or CDE so remote Xwindow desktop is not available. You can still use Xwindows but without the desktop feature.

Consider using only ssh rather than telnet and if not needed, turn off ftp (use scp instead).

Re: protecting the root account

Rita C Workman — Tue, 13 May 2008 11:24:19 GMT

First, remember that users may have set up .rhosts files, so if this is permitted exclude these from your search.

You might try this to locate .rhost files...you may wish to run this when things are quiet, cause find takes up some resources.

find / -name .rhosts -print

Rgrds,
Rita