Methods of Disabling the Root Account.

Methods of Disabling the Root Account.

Changing the root shell.

To prevent users from logging in directly as root, the system administrator can set the root ac-count’s shell to /sbin/nologin in the /etc/passwd file.

Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.

The following programs are prevented from ac-cessing the root account:

· login
· gdm
· kdm
· xdm
· su
· ssh
· scp
· sftp

Programs that do not re-quire a shell, such as FTP clients, mail clients, and many setuid programs. The following programs are not prevented from accessing the root ac-count:

· sudo
· FTP clients
· Email clients

Disabling root ac-cess via any con-sole device (tty).

An empty /etc/securetty file prevents root login on any devices attached to the computer.

echo > /etc/securetty

Disabling root SSH Login.

Edit the /etc/ssh/sshd_config file, and set the PermitRootLo-gin parameter to no.

# PermitRootLogin yes

to

#PermitRootLogin no

Use PAM to limit root access to services.

Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is re-quired for authentication.

Tags: , , ,

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.