Prevent remote root logins

Hello,

How can we prevent the "root" account from remote logging in via SSH
and Telnet but still permit root-equivalent personal accounts to log in
remotely?

Thank you in advance

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

boomboom999@yahoo.com wrote:
> Hello,
>
> How can we prevent the "root" account from remote logging in via SSH

In the sshd_config file, include the line
PermitRootLogin no

> and Telnet

In the /etc/securetty file, make certain that there are no pts/* , ttyS*
or ttyp* devices listed. Make certain that the only devices listed are
the physical devices from which you want root to be able to log on to.

> but still permit root-equivalent personal accounts to log in remotely?

"root-equivalent personal accounts"? Do you mean "wheel" group (or
administrator group) personal accounts? Or do you really mean (implied)
"UID 0, but not 'root' username"? If you mean "UID 0", then you have a
problem with a misconfigured system; there should only be /one/ UID 0
account on your system. Anything else is a configuration and operational
error.

OTOH, if you mean "unpriviledged personal accounts belonging to the
group of pre-established administrators (sometimes known as "wheel"),
who can execute administrative activities as root using the sudo
command", then no special setup is required. They log on as normal, and
use sudo as normal to execute their administrative tasks as root.

> Thank you in advance

You are welcome.

- --

Lew Pitcher, IT Specialist, Corporate Technology Solutions,
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEOngLagVFX4UWr64RAjRLAKDaEQPEX2XNRRvOm0vZ1o jXlo1/RwCgtU80
WdIUu8NCYsfBXdCJfgpl0aE=
=gGiz
-----END PGP SIGNATURE-----

>How can we prevent the "root" account from remote logging in via SSH
>and Telnet but still permit root-equivalent personal accounts to log in
>remotely?

In file '/etc/ssh/sshd_config', set these two properties:

PermitRootLogin no
AllowUsers YOUR-USER

You won't be able to enter remotely as root in you machine. When you
want to perform administrative tasks, first enter in your normal
account and then run the 'su -' or 'sudo' commands.

Do NOT use telnet at all! In telnet, passwords and data are sent in
clear and anyone sniffing communications will be able to eavesdrop your
name and password and any other data you type once logged in (as your
root password!). In fact, the better thing you could do is deinstalling
the telnet server!

greetings,

juanvi

Thank you

Will it work for personal user accounts that are "root-equivalent"
(uid=0)?

Will they be able to log on remotely?

That is what I'm looking for. I would prefer not to use "su/sudo"
commands, because that make me disclose root password which should be
kept secret for critical situations.

juanvi wrote:
>>How can we prevent the "root" account from remote logging in via SSH
>>and Telnet but still permit root-equivalent personal accounts to log in
>>remotely?
>
>
> In file '/etc/ssh/sshd_config', set these two properties:
>
> PermitRootLogin no
> AllowUsers YOUR-USER
>
> You won't be able to enter remotely as root in you machine. When you
> want to perform administrative tasks, first enter in your normal
> account and then run the 'su -' or 'sudo' commands.

Can't you setup accounts in the root group and so those would have
permission for most of the administrative tasks? (the tasks for
which affected files are group-writeable?).

> Do NOT use telnet at all! In telnet, passwords and data are sent in
> clear and anyone sniffing communications will be able to eavesdrop your
> name and password and any other data you type once logged in (as your
> root password!). In fact, the better thing you could do is deinstalling
> the telnet server!

Definitely good advice.

Plus unconditionally block port 23 (with iptables) in either direction,
from any source to any destination, on all tables. That way, if the
config files get accidentally changed and the telnet server is enabled,
it won't matter (that much).

Carlos
--

On 10.04.2006, boomboom999@yahoo.com <boomboom999@yahoo.com> wrote:
> Thank you
>
> Will it work for personal user accounts that are "root-equivalent"
> (uid=0)?

Is it consistent with "no direct remote root login" policy?

> Will they be able to log on remotely?
>
> That is what I'm looking for. I would prefer not to use "su/sudo"
> commands, because that make me disclose root password which should be
> kept secret for critical situations.

Eh? sudo discloses password of target user? Have you used sudo before?

--
Feel free to correct my English
Stanislaw Klekot

Thank you Lew

Could you explain why having more than one "UID 0" could be a problem?

Thank you in advance

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

boomboom999@yahoo.com wrote:
> Thank you
>
> Will it work for personal user accounts that are "root-equivalent"
> (uid=0)?

Instead of answering that question, let's clear up a misunderstanding.

UID 0 is /the/ root account. If you have more than one user defined with
UID 0, then you /do not/ have "root-equivalent" personal user accounts.
Instead, you have a multitude of real "root" accounts.

This in and of itself is a security failure. It doesn't matter how you
try to contain it, because any one of these accounts can not only
violate the security containment you are trying to institute, each of
these accounts can remove the containment, and even institute their own
containment, to the detriment of every other user ("root equivalent" or
otherwise) on the system.

You are trying to lock the front door, but you busted the back wall
completely open. Not the best security profile you could have used.

- --

Lew Pitcher, IT Specialist, Corporate Technology Solutions,
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEOn+6agVFX4UWr64RAvqJAJ9o/K8WC0ahVeGQyaONKZ+2ZfqOwQCghx6Y
ZZ8KNyKtyL5x4ovBpt7Wp/M=
=vVzG
-----END PGP SIGNATURE-----

I am still not convinced.

Why 3 users with an SU privilege (running shell as root) would be
better than 3 "root-equivalent" users (UID=0)?

In the both cases, I need trust these people.
In the both cases, if I have a malicious or demotivated admin, my
chances to survive are small ;)

boomboom999@yahoo.com writes:

>Hello,

>How can we prevent the "root" account from remote logging in via SSH
>and Telnet but still permit root-equivalent personal accounts to log in
>remotely?

telnet should be disabled. Not premitting remote login via root but
allowing telnet is a bit like putting a big lock on your door, but leaving
all of your windows open.

Just prevent root login. I have no idea what "root-equivalent personal
accounts " are. When you log in as a user, you can always run
su
to become root.



>Thank you in advance