HPE Community
Operating System - Linux
1832973 Members
2441 Online
110048 Solutions
New Discussion

Re: stop root login via ilo

 
randy_108
Advisor

‎07-03-2008 06:12 AM

‎07-03-2008 06:12 AM

stop root login via ilo

I ran Bastille and successfully stopped root from logging in with putty. But ilo still lets root login. Any idea how to stop this?

Thanks
Randy
0 Kudos
Reply
2 REPLIES 2
Ivan Krastev
Honored Contributor

‎07-03-2008 06:28 AM

‎07-03-2008 06:28 AM

Re: stop root login via ilo

Remove â /dev/ttyS1â from /etc/securetty.

regards,
ivan
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎07-03-2008 06:45 AM

‎07-03-2008 06:45 AM

Re: stop root login via ilo

The iLO is designed to allow the sysadmin almost the same access as when physically standing next to the machine and using the system console. When a system is running normally, iLO is not needed: it is necessary only when the system has so severe problems that normal login methods don't work, or you need to restore the operating system from backups (or even reinstall from scratch).

If you don't want to give someone the keys to your computer room, you usually don't want to give him/her an iLO password either. If you don't trust someone enough to allow him root access, you *definitely* should not give him iLO access.

Your options at this point:

1.) disable root logins from the console (both physical and iLO), and accept that if there are serious login problems, the system needs to be rebooted from the CD-ROM (or from iLO virtual media) to fix it.
This does not really improve security very much: if someone unauthorized has iLO access, he can use iLO's virtual media and remote power control functions to crash the machine and reboot it using the boot media of his own choice.

2.) disable iLO, and accept that if there are serious problems of any kind, someone must go to the computer room and diagnose and fix them there. This requires more time and effort than remote diagnostics using iLO, so your SLAs should be adjusted accordingly (either the time limits get easier, or the price goes higher).

3.) accept the fact that iLO is a "master key" for your server, and treat it accordingly. This might mean connecting all the iLOs to a separate network segment, which is accessible only through a gateway machine that requires strong authentication and logs all sessions.

MK
MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.