Hi all,

we would like root account only allow to logon from console and not allow thru any tty, so our setting as belows, but root account still logon thru ssh or telnet, can everybody help, many many thanks.

#cat /etc/securetty
console

#cat /etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_ck_connector.so

Assuming for the moment that you don't allow anybody to login with telnet (especially not root)... that leaves ssh logins. This is done by adding a line like this to /etc/ssh/sshd_config

Though it is better to allow a user, and give that user specific permission for the particular admin tasks you want done.

Just freaking turn OFF telnet.

As to disabling root logins over ssh, in your sshd_config (likely in /etc/sshd) should be a commented out line like:

#PermitRootLogin yes

Simply take out the "#", change "yes" to "no" and restart sshd.

Not allowing any local tty logins may not be a good goal. What are you going to do if the NIC device goes out? Or if you lock yourself out accidentally from remote logins.

Root logins for ssh are also not a good idea. You can use the "AllowUsers" or "AllowGroups" options in sshd_config to only allow certain users the ability to log in. They can then use "su" or "sudo" to do what they need to.

Yea, especially considering anyone with local access *will* root it in a few minutes with a boot cd if they have half a clue and that's what they want to do. Disabling CD in bios and putting a bios password on won't help either. You can simply reset the bios with a jumper. Physical access is > all software security measures. Not allowing local logins won't matter at that point. With a boot cd you don't need to log in.

A good lock on a sturdy rack cabinet is a much better (and secure) physical security solution. Think Medeco grade 1 for ultimate physical security, at least until people figure out how to bump key that one too.

If they have to hack through a bunch of hardened wire to get to the box, they'll find an easier target.

Is this at work? Suggest that the best physical security measure is good physical security, then demonstrate how easy it is to get around a local tty lockout with a boot cd. The setup disk for the distro you are using probably has a rescue mode that can be used for this demonstration.

On red hat it's:
linux rescue

at the boot prompt before setup.

#chroot /mnt/sysimage

Edit the files you need to, change root password, reboot.

Of course a sawzall will cut through most stuff like butter, but those are pretty loud and will usually attract attention Not good for someone trying to maintain a low profile and get into a box unnoticed.

-Viz