HPE Community
Operating System - Linux
1827855 Members
1616 Online
109969 Solutions
New Discussion

Restrict Root access by IP address

 
Nigel Mushet
Occasional Advisor

‎01-18-2007 06:54 PM

‎01-18-2007 06:54 PM

Restrict Root access by IP address

I would like to restrict login by root to specfied ip addresses(the workstations in the IT department).

Please advise how best to achieve this.

Thanks
0 Kudos
6 REPLIES 6
Alexander Chuzhoy
Honored Contributor

‎01-18-2007 08:30 PM

‎01-18-2007 08:30 PM

Re: Restrict Root access by IP address

You didn't specify the type of login ssh, telnet,etc?
If it's one of above - you can achieve this easily with /etc/hosts.deny (to deny login) or /etc/hosts.allow to allow login.

see examples here:
http://www.rhce2b.com/clublinux/RHCE-33.shtml
0 Kudos
Atul Gautam
Valued Contributor

‎01-18-2007 08:40 PM

‎01-18-2007 08:40 PM

Re: Restrict Root access by IP address

Hi Nigel,

Better you configure SSH and restrict root login from anywhere....

What you can do is that you can create a common user account and from that you can "su" to your root account.

In /etc/ssh/sshd_config file, add a clause which is -- AllowUsers using which you can restrict the access to few IP Addresses only.

There's a clause which is PermitRootLogin, we need to set it to "no" to restrict root access.

I'm attaching a sample file for you which you can take a look at it.....

Do let me know bout any queries...


Atul
0 Kudos
Alpha977
Valued Contributor

‎01-18-2007 08:45 PM

‎01-18-2007 08:45 PM

Re: Restrict Root access by IP address

Hello Nigel!

i do the same with IPTables.

http://www.netfilter.org/projects/iptables/index.html

Regards.
0 Kudos
Rick Garland
Honored Contributor

‎01-19-2007 09:38 AM

‎01-19-2007 09:38 AM

Re: Restrict Root access by IP address

How about restrict everybody from login as root but allow 'su -'

Set up the /etc/securetty file for console only.

Direct login as root is allowed only from console. Users can 'su -' to the root account.

0 Kudos
Nigel Mushet
Occasional Advisor

‎01-21-2007 04:25 PM

‎01-21-2007 04:25 PM

Re: Restrict Root access by IP address

Thanks for your replies:

Alexander

We are using telnet to login. form what I understand the host.allow and hosts.deny allows one to control what networks can have access. In my case I would want everyone to have access to the server but restrict direct login to root to a few specific IP addresses. I am not clear on how one would do this in these files - can "root" be used as a service keyword ?

Atul

I will have to investigate SSH - never set this up before. I can't open your attachment (I am on a very slow link...)

Alpha977

I will have to investigate iptables as I have never used this function.

Rick

I am using HPUX11 and do not have a /etc/securetyy file - should this be available un HPUX ?


0 Kudos
Nigel Mushet
Occasional Advisor

‎01-31-2007 07:10 PM

‎01-31-2007 07:10 PM

Re: Restrict Root access by IP address

Will need to do further investigation
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.