topic Re: root login in Operating System - HP-UX

root login

Raji Murthy — Thu, 21 Mar 2002 16:43:34 GMT

Hi!
Can you people give me some good ideas how to secure root login. Currently we have several unix servers and people who have root access logs in from anywhere and we do not know who all became root and did stuff.

Thanks

Re: root login

Bill McNAMARA_1 — Thu, 21 Mar 2002 16:46:54 GMT

have a look at:

login from console ONLY:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xb2be79bffde7d4118fef0090279cd0f9,00.html

Securing HPUX:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x54f3f9beca68d511abcd0090277a778c,00.html

Check out roots ~/.rhosts

Later,
Bill

Re: root login

Sandip Ghosh — Thu, 21 Mar 2002 16:46:59 GMT

Do one thing,
Use securetty. In this process you have to login as a user and then you have to give su to be root.

You have to create a file securetty under /etc. and under that file just enter root.

It will solve your problem.

Sandip

Re: root login

Uday_S_Ankolekar — Thu, 21 Mar 2002 16:49:47 GMT

One way is to stop this is to create a file called securetty in /etc directory and put entry 'console' in that.

This way nobody can access directly as root in the system . One hase to login as himslef then do su to gain root access.

syslog will keep this recordings.

Also Who -R will show you who logged in from where.

Goodluck,
-USA..

Re: root login

Peter Kloetgen — Thu, 21 Mar 2002 17:00:13 GMT

Hi Raji,

i don't like to bring bad news to you, but did you think over the fact, that you have somebody on your systems who is or at least was root?

This opens the possibility to "open doors" even if you secure the root- access afterwards. And are you sure you will find all the holes he opened?

In my opinion the only option you have is to reinstall your systems if anybody stayed on them as root. Sorry.....

Allways stay on the bright side of life!

Peter

Re: root login

Patrick Wallek — Thu, 21 Mar 2002 17:02:01 GMT

Besides using /etc/securetty file to limit login to the console go ahead and change to root password and see who screams. Then ask why they need the passwd.

You could also install sudo:

http://www.courtesan.com/sudo
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.2b1/

Once you have installed you can set up specific users so that they have access to specific commands as root, but don't need the root passwd. Sudo activity will also be logged, to syslog I think.

Re: root login

pap — Thu, 21 Mar 2002 18:57:15 GMT

Hi Raji,

You have to 1.create /etc/securetty file
2.Enter the entry "console.
do not specify " ".

You are all set.

Now you can become super user by login with your personal ordinary user id and then by doing "su"....you can become super user.

-pap

Re: root login

Jeffrey S. Sims — Thu, 21 Mar 2002 19:10:18 GMT

i aggree with Peter that reloading if your best option if that is an option at all. If not then step by step do everything you can to secure the machine, run scripts to look for backdoors and trojans etc etc.

Anyway, just to add my $0.02 worth to the equation. Another thing that you can do once you use securetty to limit root access to the console only, the users can still su. So to limit the number of users that can su to root, you can:

chmod 4660 /usr/bin/su
and
chown root:wheel /usr/bin/su

then add root and whatever other users you want to be able to su to the wheel group and only the users in the wheel group will be able to use the su command.

After you have done what you are going to do and you think that all backdoors are closed and there are no more trojans or sniffers on your comp install tripwire and monitor file changes, additions and removals.

These are a few suggestions to with them what you please.

Hope it helps.

Re: root login

Jeffrey S. Sims — Thu, 21 Mar 2002 19:12:02 GMT

Sorry, almost forgot, if you haven't done so already I would disable telnet and use something more secure such as ssh or openssh. Likewise you can disable ftp and use sftp in its place.

Ok now I am done.

Re: root login

Deshpande Prashant — Thu, 21 Mar 2002 19:19:14 GMT

HI
"console" in /etc/securetty will allow root login on console only.

On trusted system, the parameter "SU_ROOT_GROUP=administrator" will allow only members of administrator to su to root.

The securetty file did not controle root login using X-emulation software, so modify .profile of root to check it.
#--
user=`logname`;
sulog="/var/adm/sulog"
TTY="`tty | cut -d/ -f3`"

if [ ${user} = "root" ]
then
if [ ${TTY} != "console" ]
then
echo " : root login allowed only through console..."
exit
fi
fi
##--

Thanks.
Prashant Deshpande.

Re: root login

Jeff Harr — Thu, 21 Mar 2002 20:22:30 GMT

Another thing you could do to secure root on your system is install Sudo. This is a program that lets certain users run things as root, and even give you a root shell if you belong to certain groups (and run "sudo su").
Example:
If a person wanted to run a program like "ls" as root, and didn't know the root password, but needed to see into root-read only directories, he/she'd run "sudo ls ". They'd be prompted for THEIR password, then they'd get ls run as root.
Pitfalls: anything a user can run as root should be carefully inspected to make sure it couldn't be exploited. For example, NEVER give sudo access to programs wish shell escapes (like vi), or folks can just do a :sh and pop out with a root-prompt.

Re: root login

Rose Lariviere — Fri, 22 Mar 2002 00:38:22 GMT

Hi Raji,
Secure your system as mentioned above and then afterward if you need many "root" users to have restricted access This is Free!

http://www.courtesan.com/sudo/intro.html

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments.

It has the ability to restrict what commands a user may run on a per-host basis.

Sudo does copious logging of each command, providing a clear audit trail of who did what.

Re: root login

K.Vijayaragavan. — Fri, 22 Mar 2002 08:08:27 GMT

Hi,

1)They may be getting root previlege by using the command "su" (offcourse they should know the password) If you want to block this, then you may have to block the usage of "su" itself by doing "chmod" on su file.

2)They may be getting root previlege by entering into the system through "rlogin,telnet,rsh" If you want to block this you may have to deny these services to those clients by specifying "deny in /var/adm/inetd.sec file. And by specifying the enry "console" in "/etc/securetty" file.

3)But the "/etc/securetty" file has no control on XDMCP clients getting your CDE login screen from their workstation or PC (having exceed). In that case specify to whom all you want to allow CDE login screen by editing the file "/etc/dt/config/Xaccess"
and "/usr/dt/config/Xaccess".

4)Do not allow others to login to your system using root account by specifying the entry "root" in /etc/ftpusers file.

5)check the file "/etc/passwd" for the duplication of User ID or Group ID. If any other user has user ID 0 other than root, disable it or do the needful to change it. Only root is supposed to have groud id "0".

6)check the "/etc/hossts.equiv" and "rhosts" file in your systm and ensure that it is not granting any root previlege to remote systems.

7)If any user is having his application to start directly instead of getting into $ prompt and start his application, ensure that his application or startup script does not allow him to break it and get into the system with root previlege.

Sorry for the lengthy draft.

-Vija

Re: root login

John Strang — Fri, 22 Mar 2002 08:35:45 GMT

Hi Raji,

First thing to do would be to change the current root passwords, to prevent people logging in as root.

Also check the /.rhosts and /etc/hosts.equiv files.

HTH,

John

Re: root login

Trond Haugen — Fri, 22 Mar 2002 08:38:53 GMT

Apart from what already have been mentioned:
1. check sulog to see if all users that have su'ed should.
2. Check the system for "odd" files owned by root and with the suid bit set. A suid shell will give users root access.
3. Check roots .rhosts
4. Change the root password.
4b. Use a password cracker program to check that the password can't be cracked.

Regards,
Trond

Re: root login

Jeffrey S. Sims — Tue, 26 Mar 2002 02:29:52 GMT

Many Many good answers but so far no points awarded. Raji awarding points is a way to say "Thank you" to those that take the time to answer your questions for you, or lend assistance when needed. It would be beneficial to you to take that into consideration the next time you post a question.

Not to mention my head is cold and I will never get a hat at this rate. (Just kidding)