Securing Root Logins
Written by Luke MacNeil   
Monday, 13 October 2008
It may be necessary to lock down the root account so that it can only be
accessed over certain protocols. This is a common requirement of any security
audit including SOX and SAS70, and is extremely good practice.
The easiest way to secure the root account is to disable it from remote login
completely. This would be done in the /etc/default/login file by modifying the
CONSOLE derivative. This would only allow root to log on to the system if the
user was physically sitting at the console.

It is also possible to disallow root from logging in via ssh via the sshd
configuration file /etc/ssh/sshd_config by setting the directive:

"#PermitRootLogin yes" to "PermitRootLogin no"

Unfortunately, it's generally not ideal to completely disable remote root login.
We probably want to be a bit more granular with our access control.

In this case we would be better to restrict the root login to specific subnets
or IP addresses. For the more granular access control in linux, we use
PAM (Pluggable Authentication Modules). As the name suggests there are many
modules that can be included to restrict access to different services and
protocols. The one most useful (at least to us) is pam_access.so.

The pam_access.so module is configured with the /etc/security/access.conf file.
In this configuration file we can set up a "template" for access control that
can be used by different services.

On our system, we've limited the root account to log on via cron, a list of
specific IPs, and to deny everything else. We did this by setting the following
in /etc/security/access.conf

/etc/security/access.conf:
# User "root" should be allowed to get access via cron .. tty5 tty6.
+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
# User "root" should be allowed to get access from hosts with ip addresses.
+ : root : 192.168.0.1 192.168.0.5 192.168.0.17
+ : root : 127.0.0.1
# User "root" should be denied to get access from all other sources.
- : root : ALL

This syntax should be relatively easy to understand.

+        :root:            127.0.0.1
allow    the user root         to log on from 127.0.0.1 (localhost)

Please note the last line in the example above.
- : root : ALL
It is not by coincidence that the deny statement ends the procession.


This sets up a template for access control. We can set each system service to
make use of it or not. In this case, we want ssh to use these access rules, so
in /etc/pam.d/sshd.conf, we want to turn on pam_access.so.

/etc/pam.d/sshd.conf:
# add login restrictions (access.conf)
account required pam_access.so

Basically, this states that in order for ssh authentication to be sucessful, it
is required  that the rules used by pam_access.so (set in access.conf) are met.
Otherwise access should be denied.

With this in place, only the ips that we specified in access.conf can log in.
If someone provided the correct root credentials, but from another system that
is not explicitly set in access.conf, they will be denied access to the system,
and this will be logged to /var/log/messages

warn:Oct 23 13:46:22 lukesbox sshd[9944]: error: PAM: Permission denied for
root from 10.31.129.37

Note: this message is logged by PAM, not directly from ssh.

This method allows us to restrict root login to specific machines.
Comments
Add New Search
Write comment
Name:
Email:
 
Title:
Please input the anti-spam code that you can read in the image.

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."
 
[ Back ]