http://www.linuxtopia.org/online_books/redhat_linux_security_guide/s1-wstation-privileges.html
If an administrator is uncomfortable allowing users to log in as root for these or other reasons, the root password should be kept secret and access to runlevel one or single user mode should be disallowed through boot loader password protection (refer toSection 4.2.2 Boot Loader Passwords for more on this topic.)
Table 4-1 shows ways an administrator can further ensure that root logins are disallowed:
| Method | Description | Effects | Does Not Affect |
|---|
| Changing the root shell. | Edit the /etc/passwd file and change the shell from /bin/bash to/sbin/nologin. | | Prevents access to the root shell and logs the attempt. | | The following programs are prevented from accessing the root account: | | � login | | � gdm | | � kdm | | � xdm | | � su | | � ssh | | � scp | | � sftp |
| | Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs. | | The following programs are notprevented from accessing the root account: | | � sudo | | � FTP clients | | � Email clients |
|
| Disabling root access via any console device (tty). | An empty /etc/securetty file prevents root login on any devices attached to the computer. | | Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account: | | � login | | � gdm | | � kdm | | � xdm | | � Other network services that open a tty |
| | Programs that do not log in as root, but perform administrative tasks through through setuid or other mechanisms. | | The following programs are notprevented from accessing the root account: | | � su | | � sudo | | � ssh | | � scp | | � sftp |
|
| Disabling root SSH logins. | Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no. | | Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account: | | � ssh | | � scp | | � sftp |
| | This only prevents root access to the OpenSSH suite of tools. |
|
| Use PAM to limit root access to services. | Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.[a] | | Prevents root access to network services that are PAM aware. | | The following services are prevented from accessing the root account: | | � FTP clients | | � Email clients | | � login | | � gdm | | � kdm | | � xdm | | � ssh | | � scp | | � sftp | | � Any PAM aware services |
| | Programs and services that are not PAM aware. |
|
Notes:
a. Refer to Section 4.4.2.4 Disabling Root Using PAM for details.
|
Table 4-1. Methods of Disabling the Root Account
没有评论:
发表评论