https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023594#M48113 I would like to restrict login by root to specfied ip addresses(the workstations in the IT department).<BR /><BR />Please advise how best to achieve this.<BR /><BR />Thanks Fri, 19 Jan 2007 02:54:35 GMT Nigel Mushet 2007-01-19T02:54:35Z https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023594#M48113 I would like to restrict login by root to specfied ip addresses(the workstations in the IT department).<BR /><BR />Please advise how best to achieve this.<BR /><BR />Thanks Fri, 19 Jan 2007 02:54:35 GMT https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023594#M48113 Nigel Mushet 2007-01-19T02:54:35Z https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023595#M48114 You didn't specify the type of login ssh, telnet,etc?<BR />If it's one of above - you can achieve this easily with /etc/hosts.deny (to deny login) or /etc/hosts.allow to allow login.<BR /><BR />see examples here:<BR /><A href="http://www.rhce2b.com/clublinux/RHCE-33.shtml" target="_blank">http://www.rhce2b.com/clublinux/RHCE-33.shtml</A><BR /> Fri, 19 Jan 2007 04:30:28 GMT https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023595#M48114 Alexander Chuzhoy 2007-01-19T04:30:28Z https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023596#M48115 Hi Nigel,<BR /><BR />Better you configure SSH and restrict root login from anywhere....<BR /><BR />What you can do is that you can create a common user account and from that you can "su" to your root account.<BR /><BR />In /etc/ssh/sshd_config file, add a clause which is -- AllowUsers <USERNAME> using which you can restrict the access to few IP Addresses only.<BR /><BR />There's a clause which is PermitRootLogin, we need to set it to "no" to restrict root access.<BR /><BR />I'm attaching a sample file for you which you can take a look at it.....<BR /><BR />Do let me know bout any queries...<BR /><BR /><BR />Atul<BR /></USERNAME> Fri, 19 Jan 2007 04:40:34 GMT https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023596#M48115 Atul Gautam 2007-01-19T04:40:34Z https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023597#M48116 Hello Nigel!<BR /><BR />i do the same with IPTables.<BR /><BR /><A href="http://www.netfilter.org/projects/iptables/index.html" target="_blank">http://www.netfilter.org/projects/iptables/index.html</A><BR /><BR />Regards. Fri, 19 Jan 2007 04:45:52 GMT https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023597#M48116 Alpha977 2007-01-19T04:45:52Z https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023598#M48117 How about restrict everybody from login as root but allow 'su -'<BR /><BR />Set up the /etc/securetty file for console only. <BR /><BR />Direct login as root is allowed only from console. Users can 'su -' to the root account. <BR /><BR /> Fri, 19 Jan 2007 17:38:02 GMT https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023598#M48117 Rick Garland 2007-01-19T17:38:02Z https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023599#M48118 Thanks for your replies:<BR /><BR />Alexander<BR /><BR />We are using telnet to login. form what I understand the host.allow and hosts.deny allows one to control what networks can have access. In my case I would want everyone to have access to the server but restrict direct login to root to a few specific IP addresses. I am not clear on how one would do this in these files - can "root" be used as a service keyword ?<BR /><BR />Atul<BR /><BR />I will have to investigate SSH - never set this up before. I can't open your attachment (I am on a very slow link...)<BR /><BR />Alpha977<BR /><BR />I will have to investigate iptables as I have never used this function.<BR /><BR />Rick<BR /><BR />I am using HPUX11 and do not have a /etc/securetyy file - should this be available un HPUX ?<BR /><BR /><BR /> Mon, 22 Jan 2007 00:25:43 GMT https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023599#M48118 Nigel Mushet 2007-01-22T00:25:43Z https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023600#M48119 Will need to do further investigation Thu, 01 Feb 2007 03:10:54 GMT https://community.hpe.com/t5/operating-system-linux/restrict-root-access-by-ip-address/m-p/5023600#M48119 Nigel Mushet 2007-02-01T03:10:54Z