Chapter 4. Workstation Security
37
Important
Programs that do not require access to the shell, such as email clients or the sudo command, can
still access the root account.
4.4.2.2. Disabling Root Logins
To further enforce this, he can disable root logins at the console by editing the
/etc/securetty
file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the
root user can log in through any communication device on the system, whether it by via the console
or a raw network interface. This is dangerous because if configured in this way, a user could telnet
into his machine as root, sending his password in plain text over the network. By default, Red Hat
Linux's
/etc/securetty
file only allows the root user to log at the console physically attached to
the machine. To prevent root from logging in, remove the contents of this file by typing the following
command:
echo > /etc/securetty
Warning
A blank /etc/securetty file does not prevent the root user from logging in remotely using the
OpenSSH suite of tools because the console is not opened until after authentication.
4.4.2.3. Disabling Root SSH Logins
To prevent root logins via the SSH protocol, you will need to edit the SSH daemon's configuration
file:
/etc/ssh/sshd_config
. Change the line that says:
# PermitRootLogin yes
To read as follows:
PermitRootLogin no
4.4.2.4. Disabling Root Using PAM
PAM
allows
great
flexibility
in
denying
specific
accounts
via
the
/lib/security/pam_listfile.so
module. This allows the administrator to point the module at
a list of users that are not allowed to log in. Below is an example of how the module is used for the
FTP service in the
/etc/pam.d/ftp
PAM configuration file (the
\
character at the end of the first
of the first line is not necessary if the directive is all on one line):
auth
required
/lib/security/pam_listfile.so
item=user \
sense=deny file=/etc/ftpusers onerr=succeed
This tells PAM to consult the file
/etc/ftpusers
and deny any user listed access to the service. The
administrator is free to change the name of this file and can keep separate lists for each service or use
one central list to deny access to multiple services.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved