Disabling direct root login
Log into each server as root.
First add your administrative user to the wheel group (the administrator should be your normal user without root permissions that you first log into the server with, then su to root; the administrator should have a completely separate password from root).
- Edit /etc/group
- Locate wheel
- Add the following after root:
,administrator
- Save the file
Change the group access to su so that is belongs to the group wheel
chgrp wheel /bin/su
Change the mode of the file so that root has read, write and execute, the group wheel has read and execute and everyone else has now rights
chmod 4750 /bin/su
Edit the su config file => /etc/auth.conf
uncomment the line beneath
# Uncomment the following line to the user to be in the wheel group
Limiting network access to root
This allows root to log on only at the server console
Edit /etc/securetty
comment out everything except for the lines
Now, edit your SSH configuration file as follows:
- Edit /etc/ssh/sshd_config
- Locate #Protocol 2, 1
- Uncomment it and change it to look like
Protocol 2
- Add the following line:
AllowGroups wheel
- Next, locate #PermitRootLogin yes (it may already be uncommented)
- Uncomment it and make it look like
PermitRootLogin without-password
- Locate #IgnoreRhosts yes (it may already be uncommented)
- Uncomment it (remove the #)
- Locate X11Forwarding no
- Uncomment it.
- Locate PermitEmptyPasswords No
- Uncomment it.
- Save the file
Now restart sshd by doing
kill -HUP `cat /var/run/sshd.pid`
IMPORTANT NOTE: This document is based on FreeBSD. The concepts
should be similar across operating systems, but the commands will very likely be different. Also, never
assume the directory structures exist in your system as written in the document. Never blindly follow
security instructions -- read, review, compare, apply as it fits your system.
|
