How do I restrict the use of su command?
The su command is used to become another user during a login session. Invoked without a username, su defaults to becoming the superuser. The optional argument - may be used to provide an environment similar to what the user would expect had the user logged in directly.
You can SSH using a regular user account, then use the su command to obtain root access. This is true for any user that enters the su command and enters the root password. Root access means absolute access, thus, it is recommended that you limit the usernames that can use the su command and get root access.
We have a group called ‘wheel’ on the Linux system that we can utilize for this a special purpose. We can add usernames that you want to have su access to become a member of the wheel group and then restrict su so that only the members of the wheel group can use the su command.
Add a user with the id buddy to the wheel group:
Now we need to go to the directory /etc/pam.d
/etc/pam.d$ ls -l su
-rw-r–r– 1 root root 2303 May 26 19:53 su
Edit the PAM configuration file for su, /etc/pam.d/su, in a text editor and remove the comment (#) from the line shown below:
# auth required /lib/security/pam_wheel.so use_uid
So that is looks like this:
auth required /lib/security/pam_wheel.so use_uid
Doing this will permit only members of the group wheel to use the su command.
Below is the debian configuration file:
# The PAM configuration file for the Shadow `su’ service
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su’. You can also add “group=foo”
# to the end of this line if you want to use a group other
# than the default “root” (but this may have side effect of
# denying “root” user, unless she’s a member of “foo” or explicitly
# permitted earlier by e.g. “sufficient pam_rootok.so”).
# (Replaces the `SU_WHEEL_ONLY’ option from login.defs)
auth required pam_wheel.so
Disabling SSH Login for root user
Below are instructions for disabling the root user and allowing another user to assume the root users permissions. This adds another layer of security because an additional username and password must now be entered before gaining the root user privileges.
Before you disable root logins you should add an administrative user that can ssh into the server and become root with su.
In the following example we are using buddy for the username, but can be replaced with any username you wish to use.
root@dell:~# useradd buddy
root@dell:~# id buddy
uid=1005(buddy) gid=1007(buddy) groups=1007(buddy)
Set the password for the buddy user. When prompted type and then retype the password.
root@dell:~# passwd buddy
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
SSH to the server with the new admin user and ensure that the login works.
Verify that you can su (switch user) to root with the admin user.
Edit /etc/ssh/sshd_config with your favorite text editor.
Change this line:
Ensure that you are logged into the box with another shell before restarting sshd to avoid locking yourself out of the server.
# /etc/init.d/sshd restart
Removing a default domain from one of your IP addresses in Plesk
Once you have set a domain to be the default domain for a specific IP address in Plesk, you will not be able to deselect that particular domain. At this point you only have the option of switching the IP address to another domain on your server.
If you would like to do this there is a solution using MySQL commands. You can manually set the default_domain_id to zero for a specific IP address directly in the Plesk database. Make sure to replace IPADDRESS with your address.
# mysql -uadmin -p`cat /etc/psa/.psa.shadow` -Dpsa -e “UPDATE IP_Addresses SET default_domain_id = 0 WHERE ip_address = ‘IPADDRESS’;”
The following command will remove the default domain setting for all IP addresses:
# mysql -uadmin -p`cat /etc/psa/.psa.shadow` -Dpsa -e “UPDATE IP_Addresses SET default_domain_id = 0;”
Then you need to use the command ‘websrvmng’ to apply changes:
# /usr/local/psa/admin/sbin/websrvmng -a -v
How to block a specific IP Address from accessing your Website
If you have annoying visitors, site scrapers, or spammers, you may find it useful to block these users from accessing your website content. You can block bad visitors by IP Address (or blocks of IP Addresses) using a .htaccess file. Below are some useful examples.
In the following example, all IP Addresses and domains are accepted, except for xxx.xxx.xxx.xxx and
# allow all except those indicated here
allow from all
deny from xxx.xxx.xxx.xxx
deny from .*bad-site-example\.com.*
In the following example, all IP addresses are denied access except for xxx.xxx.xxx.xxx and
# Deny access to everyone, except those listed here:
deny from all
allow from xxx.xxx.xxx.xxx
allow from .*good-site-example\.com.*
Configuring AwStats to show the country of site visitors.
By default AwStats does not show the source country for visitors viewing a domain. To enable this feature, the GeoIP plugin should be configured. Here is the information about this plugin from /etc/awstats/awstats.conf:
# Plugin: GeoIP
# Perl modules required: Geo::IP or Geo::IP::PurePerl (from Maxmind)
# Country chart is built from an Internet IP-Country database.
# This plugin is useless for intranet only log files.
# Note: You must choose between using this plugin (need Perl Geo::IP module
# from Maxmind, database more up to date) or the GeoIPfree plugin (need
# Perl Geo::IPfree module, database less up to date).
# This plugin reduces AWStats speed of 8% !
Usually, geoip.pm plugin comes with AwStats package, but the Perl modules necessary for the plugin to work (Geo::IP or Geo::IP::PurePerl) should be installed. You can get all the necessary installation instructions and downloadable plugin files (for example, “Geo::IP::PurePerl Module” library) from here:
The plugin needs to be enabled in the main AwStats configuration files:
And the files that were already configured by Plesk for every domain which can be found in /usr/local/psa/etc/awstats/*. The line that should be added into all these files looks like:
LoadPlugin=”geoip GEOIP_STANDARD /pathto/GeoIP.dat”
Latest GeoIP.dat can be found at http://www.maxmind.com/