[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Disallowing remote root login
- Subject: [cobalt-users] Disallowing remote root login
- From: <rpaiz@xxxxxxxxxxxxxx>
- Date: Sat Mar 24 22:54:12 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi!
Long message warning, but I want to ensure that the final result of this
thread is (a) enough to solve my problem, and (b) enough so that others
can duplicate this on their own servers without further instructions.
In the spirit of tightening up security on my server, I've followed the
instructions in the Armoring Linux page
(http://www.enteract.com/~lspitz/linux.html) which I highly recommend to
*anyone* who does not consider themselves expert yet (which ought to be
most of us).
I've issued the following commands:
gpasswd -a xxxxx wheel
gpasswd -a yyyyy wheel
gpasswd -a zzzzz wheel
to add the xxxxx, yyyyy, and zzzzz users to the group wheel, whose
members are the only ones who should be able to su to root. I added
three highly-trusted users in case I forget my password or my plane
crashes (much more likely). Then I did:
chgrp wheel /bin/su
chmod 4750 /bin/su
chgrp changes the permissions, and chmod restores them to what they were
before. Now only these three users can issue the command su.
So far, so good, but...
The final step is to disallow all remote root logins, which will ensure
someone must crack *two* passwords at least to get root access (or hack
some service like BIND, but that's another story). Anyway, one more
layer...
I believe that this is done by editing the /etc/securetty file (which is
a text file only readable/writable by root with permissions 600).
However, this is where I get stuck. The file includes two types of
entries:
vc/[1-11]
tty/[1-11]
OK, but I'm using sshd and every time I login I'm listed as using a
pts/[0-?] terminal. Usually 0 or 1, of course, since I should be the
only one ever to log in directly and I rarely run more than two
sessions.
I am *guessing* that vc means "virtual console" so that I should leave
those there, and that tty means "teletype" which is all remote terminals
coming in over serial, network, or any means other than keyboard, so I
should delete all those. Nevertheless, I never delete random things
without asking first.
Point is... what do I change in order to ensure that root can only login
directly at the console? Of course I want to be able to su to root
remotely but only after logging in as myself first.
Comments or suggestions? How do I finish this? Will it do what I want?
Is there a real benefit to security?
Thanks,
--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>