HPE Community
Operating System - Linux
1838873 Members
4019 Online
110130 Solutions
New Discussion

Re: direct root access restrict.....

 
sukumar maddela
Occasional Advisor

‎10-28-2005 09:44 PM

‎10-28-2005 09:44 PM

direct root access restrict.....

Hai all,

In my company every one are login directly as root. i would like to restrict that direct login to root. I would like all users to login using an individual user account and then use SU as necessary.

plz prepose some solutions to this problem.


thanks and regards
sukumar
0 Kudos
Reply
7 REPLIES 7
Kodjo Agbenu
Honored Contributor

‎10-29-2005 06:02 AM

‎10-29-2005 06:02 AM

Re: direct root access restrict.....

Hi,

If you are talking about a single or a few number of servers accessed by many people :

1 - Make sure that you have a file named /etc/securetty, with the following content :

tty1
tty2
tty3
tty4
tty5
tty6
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6

It means that root can logon only on local console (not remotely).

2 - In SSH configuration file /etc/ssh/sshd_config :

PermitRootLogin no

Then restart sshd to apply changes.


If you are talking about Linux desktops or workstations, there is no solution : if the user have some Linux knowledge, (s)he can by-pass any protection you may setup. Therefore, the only method in this case is education, security awareness, ...

Good lcuk,
Kodjo
Learn and explain...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-29-2005 08:06 AM

‎10-29-2005 08:06 AM

Re: direct root access restrict.....

Create users for the other people and change the root password.

Make sure you have backing from management but I think they'll agree root access for all is like playing with matches in an ammunition dump.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sorrel G. Jakins
Valued Contributor

‎10-29-2005 03:38 PM

‎10-29-2005 03:38 PM

Re: direct root access restrict.....

Get a utility called "sudo" - then any user who needs to issue a specific root-level cmd can be set up in a permissions table and can only do what you permit him to do. sudo activity is logged.

HTH
Sorrel
0 Kudos
Reply
Alexander Chuzhoy
Honored Contributor

‎10-29-2005 08:57 PM

‎10-29-2005 08:57 PM

Re: direct root access restrict.....

The fastest solution is to change root's password,thus preventing from users to login as root.
If you want to have centralized management of users then you should consider to setup domain (NIS or LDAP ).
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎10-30-2005 01:49 AM

‎10-30-2005 01:49 AM

Re: direct root access restrict.....

Make use of TCP-Wrappers for all services by editing "/etc/hosts.allow" and "/etc/hosts.deny". This enables to tie-down users to specific IP-Addresses or subnets. That way if users try from another location they will be denied access.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎10-30-2005 01:54 AM

‎10-30-2005 01:54 AM

Re: direct root access restrict.....

Another couple of nice security tweaks:

1. Use PAM to disable the system-wide usage of .rhosts files in user's home directories by adding these lines to /etc/pam.d/rlogin:

#
# Disable rsh/rlogin/rexec for users
#
login auth required pam_rhosts_auth.so no_rhosts

2. Limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:

usermod -G wheel

In the previous command, replace with the username being added to the wheel group
Next, open the PAM configuration file for su â /etc/pam.d/suâ in a text editor and remove the comment [#] from the following line:

auth required /lib/security/pam_wheel.so use_uid

Doing this permits only members of the administrative group wheel to use the program.

0 Kudos
Reply
Rick Garland
Honored Contributor

‎10-31-2005 04:39 AM

‎10-31-2005 04:39 AM

Re: direct root access restrict.....

I am a fan of the 'wheel' group solution.

If all of the users know the root passwd, they cannot login as root, they cannot su - to the root either.

Use the /etc/securetty file to allow direct root login only on console.

If using ssh, modify the sshd_config to PermitRootLogin No

For telnet, the /etc/securetty file will suffice.

For ftp, use the ftpusers/ftpaccess files.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.