Tuesday, October 27, 2009

Re: [LINUX_Newbies] Re: protecting the root user in Centos

 

On Tue, Oct 27, 2009 at 04:01:54PM -0000, loyal_barber wrote:
> see below
>
> --- In LINUX_Newbies@yahoogroups.com, "loyal_barber" <loyal_barber@...> wrote:
> >
> > I googled this and got an option I thought would really work for me.
> >
> > 1. disallow ssh login by root
> > 2. restrict su to root to the wheel group
> > 3. disallow remote and local login for root
> >
> > #2 was accomplished with this command:
> >
> > auth required /lib/security/pam_wheel.so use_uid
> >
> > however, this allows users in the wheel group to su to root without
> > entering a password. In my mind, this is only slightly better than
> > allowing ssh root login. Any suggestions?

Usually, if Cameron is in on it, I just sit back, unless his answers
raise questions for me.

However, one thing I see--you edited /etc/pam.d/su. You uncommented the
line to implicitly trust users in wheel. What I do is leave that one
commented and uncomment the one a few lines below

# Uncomment the following line to implicitly trust users in the "wheel"
# group.
#auth sufficient pam_wheel.so trust use_uid

You uncommented that one. I leave it commented and....

# Uncomment the following line to require a user to be in the "wheel"
# group.
auth required pam_wheel.so use_uid

When it's done this way, the wheel user still has to give a password.

One other thing, I'm not sure if it's been mentioned.... I always put
ssh on a nonstandard port. Yes, it's security by obscurity, and not a
complete defense in itself, but it does help prevent all those people
pounding on the door of port 22. Move it to a higher port (but not one
used by other services--you can check that by going through
/etc/services).

Also, as I think Cameron already said, I add a few things to
sshd.config. /etc/ssh/sshd_config.

At the end I have

AllowGroups remote

This means that any username who isn't in the group called "remote" will
not be allowed in.

To change the port by the way, look for the commented line that says
Port 22. Note that in sshd_config (if you didn't already know this,
which you may have) a commented line usually means a default that IS in
action. So, you can either leave Port 22 commented and add a line or
uncomment it and change it to say 7032. (First do grep 7032
/etc/services) When nothing comes back, I know that 7032 isn't being
used for anything. Now, it should read, instead of #Port 22
Port 7032

Also, adjust your firewall. Hopefully you know how to do this. But
change whatever rules you have for port 22 to port 732. I think there's
some GUI tool to do it now, I usually backup /etc/sysconfig/iptables,
then edit that.

Restart sshd. Errm, if you're at the machine. If this remote, one thing
that has worked for me sometimes, but not always, and I wouldn't gamble
a 3 hour round trip on it working, is to use screen. Sometimes, if I'm
running screen, I can get away with restarting sshd remotely and not
losing my connection.

Hope this helps. If any of it isn't clear, ask again, I'm in a bit of a
hurry today, so might have been overly brief.

--
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Ford: I wanna be like you...A vampire.
Spike: I've known you for two minutes and I can't stand you. I
don't really feature you living forever. Can I eat him now love?

__._,_.___
To unsubscribe from this list, please email LINUX_Newbies-unsubscribe@yahoogroups.com & you will be removed.
Recent Activity
Visit Your Group
Give Back

Yahoo! for Good

Get inspired

by a good cause.

Y! Toolbar

Get it Free!

easy 1-click access

to your groups.

Yahoo! Groups

Start a group

in 3 easy steps.

Connect with others.

.

__,_._,___

No comments:

Post a Comment