January 9, 2012   138 notes   

Linux “root” tweaks

Tired of always being afraid someone will hack into your linux computer/server?

One of the most important steps is to make sure the attacker can’t log in with the “root” account.

In order to do this, you have to:

  1. Make sure you can “switch user” to root (you will need to be able to control your system, after all)
  2. Make sure that nobody can log in with root, neither remote nor local.

There are more than one ways to do this, but this is the method I prefer (since I’m also a Pluggable Authentication Modules a.k.a. PAM fan). Please keep in mind that all commands have to be run in the console and disregard the “#” or the “$” (which mark commands that have to be run as root or regular user)

  • Add your user to the wheel group:
    # usermod -G wheel -a username
  • Change permissions for “su”:
    # nano -w /etc/pam.d/su

    Add here the following line(s):

    auth sufficient pam_wheel.so trust use_uid
    auth required pam_wheel.so use_uid

    On some systems you might have to add the same lines to the file /etc/pam.d/su-l

    Please log out now and log back in to test that it’s running as it should:

    $ su -
    #

    Don’t proceed to the next step until you have made sure it works, or else you’ll have to hack into your own Linux machine (this will be covered at a later date).

  • Disable root password (yes, erase it!):
    # nano -w /etc/shadow

    The first line should look similar to this one (only the huge string should be different):

    root:$6$K8ZWaM00$mb9zw4hCmbrphXuaarQ4VXlgAI6hNAY9UPAMhdd.ixCDblimHGgH0ROvV9G2ujtkI29vz7gJ6bXG4scracDI31:15348:0:99999:7:::

    After you edit the file, it should look like this:

    root:!!:15348:0:99999:7:::
  • Disable root login via SSH (this isn’t really necessary, but in case you decide at a later date to re-enable the root password, you’ll not want anyone to try to guess your password)
    # nano -w /etc/ssh/sshd_config

    Look for the line that starts with:

    #PermitRootLogin

    Replace that line with:

    PermitRootLogin no

Done! Now log out of all accounts and you’ll only be able to be root if you “su” from one of the “wheel” group accounts.

Feedback is welcomed. Any other tips to be added, drop me a line (or a comment below).

Don't forget to donate if you found this useful.

  1. umby24 reblogged this from e-tel
  2. e-tel posted this