https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660462#M20328 The fastest solution is to change root's password,thus preventing from users to login as root.<BR />If you want to have centralized management of users then you should consider to setup domain (NIS or LDAP ). Sun, 30 Oct 2005 03:57:09 GMT Alexander Chuzhoy 2005-10-30T03:57:09Z https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660458#M20324 Hai all,<BR /><BR />In my company every one are login directly as root. i would like to restrict that direct login to root. I would like all users to login using an individual user account and then use SU as necessary.<BR /><BR />plz prepose some solutions to this problem.<BR /><BR /><BR />thanks and regards <BR />sukumar Sat, 29 Oct 2005 04:44:49 GMT https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660458#M20324 sukumar maddela 2005-10-29T04:44:49Z https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660459#M20325 Hi,<BR /><BR />If you are talking about a single or a few number of servers accessed by many people :<BR /><BR />1 - Make sure that you have a file named /etc/securetty, with the following content :<BR /><BR />tty1<BR />tty2<BR />tty3<BR />tty4<BR />tty5<BR />tty6<BR />vc/1<BR />vc/2<BR />vc/3<BR />vc/4<BR />vc/5<BR />vc/6<BR /><BR />It means that root can logon only on local console (not remotely).<BR /><BR />2 - In SSH configuration file /etc/ssh/sshd_config :<BR /><BR />PermitRootLogin no<BR /><BR />Then restart sshd to apply changes.<BR /><BR /><BR />If you are talking about Linux desktops or workstations, there is no solution : if the user have some Linux knowledge, (s)he can by-pass any protection you may setup. Therefore, the only method in this case is education, security awareness, ...<BR /><BR />Good lcuk,<BR />Kodjo<BR /> Sat, 29 Oct 2005 13:02:05 GMT https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660459#M20325 Kodjo Agbenu 2005-10-29T13:02:05Z https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660460#M20326 Create users for the other people and change the root password.<BR /><BR />Make sure you have backing from management but I think they'll agree root access for all is like playing with matches in an ammunition dump.<BR /><BR />SEP Sat, 29 Oct 2005 15:06:05 GMT https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660460#M20326 Steven E. Protter 2005-10-29T15:06:05Z https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660461#M20327 Get a utility called "sudo" - then any user who needs to issue a specific root-level cmd can be set up in a permissions table and can only do what you permit him to do. sudo activity is logged.<BR /><BR />HTH<BR />Sorrel Sat, 29 Oct 2005 22:38:00 GMT https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660461#M20327 Sorrel G. Jakins 2005-10-29T22:38:00Z https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660462#M20328 The fastest solution is to change root's password,thus preventing from users to login as root.<BR />If you want to have centralized management of users then you should consider to setup domain (NIS or LDAP ). Sun, 30 Oct 2005 03:57:09 GMT https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660462#M20328 Alexander Chuzhoy 2005-10-30T03:57:09Z https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660463#M20329 Make use of TCP-Wrappers for all services by editing "/etc/hosts.allow" and "/etc/hosts.deny". This enables to tie-down users to specific IP-Addresses or subnets. That way if users try from another location they will be denied access. Sun, 30 Oct 2005 09:49:13 GMT https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660463#M20329 Andrew Cowan 2005-10-30T09:49:13Z https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660464#M20330 Another couple of nice security tweaks:<BR /><BR />1. Use PAM to disable the system-wide usage of .rhosts files in user's home directories by adding these lines to /etc/pam.d/rlogin: <BR /><BR />#<BR /># Disable rsh/rlogin/rexec for users<BR />#<BR />login auth required pam_rhosts_auth.so no_rhosts<BR /><BR />2. Limit who has access to the command. <BR />One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root: <BR /><BR />usermod -G wheel <USERNAME><BR /><BR />In the previous command, replace <USERNAME> with the username being added to the wheel group<BR />Next, open the PAM configuration file for su â /etc/pam.d/suâ in a text editor and remove the comment [#] from the following line: <BR /><BR />auth required /lib/security/pam_wheel.so use_uid<BR /><BR />Doing this permits only members of the administrative group wheel to use the program. <BR /><BR /></USERNAME></USERNAME> Sun, 30 Oct 2005 09:54:01 GMT https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660464#M20330 Andrew Cowan 2005-10-30T09:54:01Z https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660465#M20331 I am a fan of the 'wheel' group solution. <BR /><BR />If all of the users know the root passwd, they cannot login as root, they cannot su - to the root either.<BR /><BR />Use the /etc/securetty file to allow direct root login only on console.<BR /><BR />If using ssh, modify the sshd_config to PermitRootLogin No<BR /><BR />For telnet, the /etc/securetty file will suffice.<BR /><BR />For ftp, use the ftpusers/ftpaccess files.<BR /> Mon, 31 Oct 2005 12:39:30 GMT https://community.hpe.com/t5/operating-system-linux/direct-root-access-restrict/m-p/3660465#M20331 Rick Garland 2005-10-31T12:39:30Z