Methods of Disabling the Root Account.

Changing the root shell.

To prevent users from logging in directly as root, the system administrator can set the root ac-count’s shell to /sbin/nologin in the /etc/passwd file.

Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.

The following programs are prevented from ac-cessing the root account:

· login
· gdm
· kdm
· xdm
· su
· ssh
· scp
· sftp

Programs that do not re-quire a shell, such as FTP clients, mail clients, and many setuid programs. The following programs are not prevented from accessing the root ac-count:

· sudo
· FTP clients
· Email clients

Disabling root ac-cess via any con-sole device (tty).

An empty /etc/securetty file prevents root login on any devices attached to the computer.

echo > /etc/securetty

Disabling root SSH Login.

Edit the /etc/ssh/sshd_config file, and set the PermitRootLo-gin parameter to no.

# PermitRootLogin yes

to

#PermitRootLogin no

Use PAM to limit root access to services.

Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is re-quired for authentication.

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.