Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was told that there is way to disable remote root access.
example .
when user telnet to <ipaddress>
user can only login with a normal user then su it to root.
but with telnet to <ipaddress>
and login as root . will be denied.
The file is called /etc/securetty. It lists the (virtual) consoles root is allowed to log in at.
Commenting out will disable a tty/virtual console, deleting the file will disable root logins completely.
Did someone already lecture you on the security problems you face when using telnet? :-]
I mean, even logging in and su-ing to root won't help, because *all* your communications tru telnet can be read.
I would like you to consider using Ssh/sshd if you value your box(en).
...OTOH, if you're referring to this threads starting question, and so only want to deny *root* access to telnet:
Telnet doesn't send username "in advance" like ssh does (ssh -l username), so the server doesn't know who's overthere untill you provide a username to login with, so using a line like
"in.telnetd root@somehost"
in /etc/hosts.deny (for TCP wrappers-aware apps) wouldn work (right, anyone?).
Ok, so when connecting, telnetd "hands over" control to pam/login for authorization, and here pam kicks in (/etc/pam.d/login, first line) if no "ttyp*" lines are available in /etc/securetty, to deny a direct root login.
still doesn't work
i rename the securetty to securetty.bak for future usage
and change the /etc/xinetd.d/telnet - disable to yes
then telnet quetec- login root... still can login..
for a properly constricted root login, i'd recommend:
adding
Code:
account required /lib/security/pam_access.so
to /etc/pam.d/login, and then editing /etc/security/access.conf properly. the pam.d line forces all logins to be pushed through the access module, which is controlled by that conf file. I sussed this out as my housemates refused to change terminal to one dedicated to them when they wanted to check their mail, so i made it so it was impossible for them to log in on any other:
+:emma:tty4
+:katie:tty3
-:sarah:ALL EXCEPT LOCAL
-:cake:ALL
so emma can only log in on tty4, katie on tty3, sarah anywhere locally (cos she'd my fiance...) and then the last line defines the group their all in, and refuses login, if it login didn't get picked up already.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.