1833032 Members
2510 Online
110049 Solutions
New Discussion

root login

 
Raji Murthy
Occasional Advisor

root login

Hi!
Can you people give me some good ideas how to secure root login. Currently we have several unix servers and people who have root access logs in from anywhere and we do not know who all became root and did stuff.

Thanks
be good and do good
15 REPLIES 15
Bill McNAMARA_1
Honored Contributor

Re: root login

Sandip Ghosh
Honored Contributor

Re: root login

Do one thing,
Use securetty. In this process you have to login as a user and then you have to give su to be root.

You have to create a file securetty under /etc. and under that file just enter root.

It will solve your problem.

Sandip
Good Luck!!!
Uday_S_Ankolekar
Honored Contributor

Re: root login

One way is to stop this is to create a file called securetty in /etc directory and put entry 'console' in that.

This way nobody can access directly as root in the system . One hase to login as himslef then do su to gain root access.

syslog will keep this recordings.

Also Who -R will show you who logged in from where.

Goodluck,
-USA..
Good Luck..
Peter Kloetgen
Esteemed Contributor

Re: root login

Hi Raji,

i don't like to bring bad news to you, but did you think over the fact, that you have somebody on your systems who is or at least was root?

This opens the possibility to "open doors" even if you secure the root- access afterwards. And are you sure you will find all the holes he opened?

In my opinion the only option you have is to reinstall your systems if anybody stayed on them as root. Sorry.....

Allways stay on the bright side of life!

Peter
I'm learning here as well as helping
Patrick Wallek
Honored Contributor

Re: root login

Besides using /etc/securetty file to limit login to the console go ahead and change to root password and see who screams. Then ask why they need the passwd.

You could also install sudo:

http://www.courtesan.com/sudo
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.2b1/

Once you have installed you can set up specific users so that they have access to specific commands as root, but don't need the root passwd. Sudo activity will also be logged, to syslog I think.
pap
Respected Contributor

Re: root login

Hi Raji,

You have to 1.create /etc/securetty file
2.Enter the entry "console.
do not specify " ".

You are all set.

Now you can become super user by login with your personal ordinary user id and then by doing "su"....you can become super user.

-pap
"Winners don't do different things , they do things differently"
Jeffrey S. Sims
Trusted Contributor

Re: root login

i aggree with Peter that reloading if your best option if that is an option at all. If not then step by step do everything you can to secure the machine, run scripts to look for backdoors and trojans etc etc.

Anyway, just to add my $0.02 worth to the equation. Another thing that you can do once you use securetty to limit root access to the console only, the users can still su. So to limit the number of users that can su to root, you can:

chmod 4660 /usr/bin/su
and
chown root:wheel /usr/bin/su

then add root and whatever other users you want to be able to su to the wheel group and only the users in the wheel group will be able to use the su command.

After you have done what you are going to do and you think that all backdoors are closed and there are no more trojans or sniffers on your comp install tripwire and monitor file changes, additions and removals.

These are a few suggestions to with them what you please.

Hope it helps.
Jeffrey S. Sims
Trusted Contributor

Re: root login

Sorry, almost forgot, if you haven't done so already I would disable telnet and use something more secure such as ssh or openssh. Likewise you can disable ftp and use sftp in its place.

Ok now I am done.
Deshpande Prashant
Honored Contributor

Re: root login

HI
"console" in /etc/securetty will allow root login on console only.

On trusted system, the parameter "SU_ROOT_GROUP=administrator" will allow only members of administrator to su to root.

The securetty file did not controle root login using X-emulation software, so modify .profile of root to check it.
#--
user=`logname`;
sulog="/var/adm/sulog"
TTY="`tty | cut -d/ -f3`"

if [ ${user} = "root" ]
then
if [ ${TTY} != "console" ]
then
echo " : root login allowed only through console..."
exit
fi
fi
##--

Thanks.
Prashant Deshpande.
Take it as it comes.
Jeff Harr
New Member

Re: root login

Another thing you could do to secure root on your system is install Sudo. This is a program that lets certain users run things as root, and even give you a root shell if you belong to certain groups (and run "sudo su").
Example:
If a person wanted to run a program like "ls" as root, and didn't know the root password, but needed to see into root-read only directories, he/she'd run "sudo ls ". They'd be prompted for THEIR password, then they'd get ls run as root.
Pitfalls: anything a user can run as root should be carefully inspected to make sure it couldn't be exploited. For example, NEVER give sudo access to programs wish shell escapes (like vi), or folks can just do a :sh and pop out with a root-prompt.
Rose Lariviere
Occasional Advisor

Re: root login

Hi Raji,
Secure your system as mentioned above and then afterward if you need many "root" users to have restricted access This is Free!

http://www.courtesan.com/sudo/intro.html

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments.

It has the ability to restrict what commands a user may run on a per-host basis.

Sudo does copious logging of each command, providing a clear audit trail of who did what.

K.Vijayaragavan.
Respected Contributor

Re: root login

Hi,

1)They may be getting root previlege by using the command "su" (offcourse they should know the password) If you want to block this, then you may have to block the usage of "su" itself by doing "chmod" on su file.

2)They may be getting root previlege by entering into the system through "rlogin,telnet,rsh" If you want to block this you may have to deny these services to those clients by specifying "deny in /var/adm/inetd.sec file. And by specifying the enry "console" in "/etc/securetty" file.

3)But the "/etc/securetty" file has no control on XDMCP clients getting your CDE login screen from their workstation or PC (having exceed). In that case specify to whom all you want to allow CDE login screen by editing the file "/etc/dt/config/Xaccess"
and "/usr/dt/config/Xaccess".

4)Do not allow others to login to your system using root account by specifying the entry "root" in /etc/ftpusers file.

5)check the file "/etc/passwd" for the duplication of User ID or Group ID. If any other user has user ID 0 other than root, disable it or do the needful to change it. Only root is supposed to have groud id "0".

6)check the "/etc/hossts.equiv" and "rhosts" file in your systm and ensure that it is not granting any root previlege to remote systems.

7)If any user is having his application to start directly instead of getting into $ prompt and start his application, ensure that his application or startup script does not allow him to break it and get into the system with root previlege.

Sorry for the lengthy draft.

-Vija
"Let us fine tune our knowledge together"
John Strang
Regular Advisor

Re: root login

Hi Raji,

First thing to do would be to change the current root passwords, to prevent people logging in as root.

Also check the /.rhosts and /etc/hosts.equiv files.

HTH,

John
If you never make a mistake you'll never make anything.
Trond Haugen
Honored Contributor

Re: root login

Apart from what already have been mentioned:
1. check sulog to see if all users that have su'ed should.
2. Check the system for "odd" files owned by root and with the suid bit set. A suid shell will give users root access.
3. Check roots .rhosts
4. Change the root password.
4b. Use a password cracker program to check that the password can't be cracked.

Regards,
Trond
Regards,
Trond Haugen
LinkedIn
Jeffrey S. Sims
Trusted Contributor

Re: root login

Many Many good answers but so far no points awarded. Raji awarding points is a way to say "Thank you" to those that take the time to answer your questions for you, or lend assistance when needed. It would be beneficial to you to take that into consideration the next time you post a question.

Not to mention my head is cold and I will never get a hat at this rate. (Just kidding)