So, here we are in another installment of my Linux Security Series. To catch up, read the intro post, and check out the other articles.
So, as you should know by now, you should never login as root. You should login as a regular user, and then use sudo to run commands, or su to root.
The real benefit of using su/do is disallowing root logins. Here is a little exert of the logs of a server I run on the internets:
Oct 14 20:31:59 Tomahawk sshd[82597]: error: PAM: authentication error for root from 188-193-191-72-dynip.superkabel.de
Oct 14 20:32:33 Tomahawk sshd[82600]: error: PAM: authentication error for root from s01060000c5ca5b32.su.shawcable.net
Oct 14 20:33:19 Tomahawk sshd[82616]: error: PAM: authentication error for root from 58.26.82.163
Oct 14 20:33:54 Tomahawk sshd[82619]: error: PAM: authentication error for root from mail.act.by
Oct 14 20:34:34 Tomahawk sshd[82622]: error: PAM: authentication error for root from 115.168.35.219
Oct 14 20:35:20 Tomahawk sshd[82628]: error: PAM: authentication error for root from p5098cd41.dip0.t-ipconnect.de
Oct 14 20:35:54 Tomahawk sshd[82631]: error: PAM: authentication error for root from 75-148-164-97-houston.hfc.comcastbusiness.net
Oct 14 20:36:34 Tomahawk sshd[82634]: error: PAM: authentication error for root from mulligan.softspike.org
Oct 14 20:37:23 Tomahawk sshd[82639]: error: PAM: authentication error for root from 69.red-80-33-156.staticip.rima-tde.net
Oct 14 20:38:04 Tomahawk sshd[82642]: error: PAM: authentication error for root from 119.62.128.19
Oct 14 20:38:39 Tomahawk sshd[82645]: error: PAM: authentication error for root from 221.7.58.36
Oct 14 20:39:22 Tomahawk sshd[82648]: error: PAM: authentication error for root from 122.224.128.197
Oct 14 20:40:06 Tomahawk sshd[82654]: error: PAM: authentication error for root from 123.147.144.45
Oct 14 20:40:48 Tomahawk sshd[82657]: error: PAM: authentication error for root from 202.97.0.76
Oct 14 20:41:27 Tomahawk sshd[82660]: error: PAM: authentication error for root from 220.194.66.56
Oct 14 20:41:48 Tomahawk sshd[82663]: Invalid user wawa from 84.1.106.142
Oct 14 20:41:49 Tomahawk sshd[82665]: Invalid user wawa from 84.1.106.142
Oct 14 20:41:50 Tomahawk sshd[82667]: Invalid user wawa from 84.1.106.142
Oct 14 20:41:52 Tomahawk sshd[82669]: Invalid user wawa from 84.1.106.142
Oct 14 20:41:53 Tomahawk sshd[82671]: Invalid user mail from 84.1.106.142
Oct 14 20:41:54 Tomahawk sshd[82673]: Invalid user mail from 84.1.106.142
Oct 14 20:41:56 Tomahawk sshd[82675]: Invalid user mail from 84.1.106.142
Oct 14 20:41:57 Tomahawk sshd[82677]: Invalid user mail from 84.1.106.142
Oct 14 20:41:58 Tomahawk sshd[82679]: Invalid user local from 84.1.106.142
Oct 14 20:42:00 Tomahawk sshd[82681]: Invalid user local from 84.1.106.142
Oct 14 20:42:01 Tomahawk sshd[82683]: Invalid user local from 84.1.106.142
Oct 14 20:42:02 Tomahawk sshd[82685]: Invalid user local from 84.1.106.142
Oct 14 20:42:05 Tomahawk sshd[82687]: error: PAM: authentication error for root from 211.143.240.6
Lots of failed login attempts for root, as well as some other common accounts (mail and local, but I've also seen lots for admin, user, test, webmaster, etc.) A friend checked his server, and saw tons of services, as well as common first and last names. These are all attempts to break into your system. Most are simply bots, that try and connect with SSH using a massive list of common usernames and passwords. If you look at the times, many are with a few seconds of each other. Almost any box on the internet with ssh running on port 22 is being bombarded with these every day.
Now, if you have root login over SSH disabled, and you don't have a common username, you're blocking the vast majority of these attempts. Great you think, now how do I do that?
Well, you could lookup how to do it on your OS (if this dosen't), but here's how to disable root logins over SSH on many Linux/Unix distros.
1) Before you continue, be sure that you have a non-root account that can login with, and either use sudo or su to become root. Without this, you will be locked out of your system. It's not too bad if you're sitting at your desktop, but it's a real pain if it's a system locked up in a datacenter somewhere. I've driven to the datacenter at 7PM before (to fix a firewall I screwed up, luckily it was only a 30 min drive), and it's not the most fun way to spend an afternoon.
Much of this process could be distribution dependent, so check your distro documentation. The useradd command is available on most (all?) linux/unix systems. You can also use any GUI tools your particular linux distribution uses. You may also want to add your user to the wheel group, or an admin or other group if your distribution has it. More details on that later.
2) Find your sshd_config file. It's usually in /etc/ssh/ or /usr/local/etc/ssh folders. If you're having trouble, try doing locate sshd_config
3) Edit the file with your favorite text editor. I'd recommend nano if you're not familiar with one. nano /etc/ssh/ssh_config
4) Search the file for "PermitRootLogin" (Ctrl+W on nano). If it's there, be sure it's not commented out (remove the leading '#' if present), and put "no" there. If you can't find it, add it in somewhere. Put it at the bottom of you don't know where else to put it.
5) Close and save the file. It's Ctrl+X on nano, then Y for saving, then press enter to save it as the same filename.
6) Restart OpenSSH (the SSH Server). Again, this is somewhat OS dependent. On Redhat derrived OS's (Redhat, Fedora, CentOS, Adios, etc.), you can simply do service sshd restart. Other linuxes, you'll probably do /etc/init.d/ssh restart. On Arch linux and FreeBSD, it's /etc/rc.d/sshd restart.
Now, try to login as "root" over ssh. It shouldn't allow it, even with the correct password.
Some other ideas for securing your system:
1) Only allow specific users to use su.
Richard Stallman apparently has no idea about being a sysadmin (read the bottom). In FreeBSD, for a user to be able so su to root, he must be a member of the wheel group. Linux does not have that restriction. The easiest way to do this is to change the permissions for the /bin/su command to only let members of wheel or some other group execute it.
chgrp wheel /bin/su
chmod 550 /bin/su
2) Use sudo for any users that need to run only a few things as root. Check out my other post on su and sudo. It's very robust, and there are lots of guides on how to use it. The idea here is very few users need to have full root access to a system. If you prevent all other users from becoming root, then you don't need to worry as much. On a well configured system, you should be able to give out your root password and not have it affect security at all (assuming your hardware is secured).
3) Secure the terminal. Physical security is a must for any security on a system. But, without absolute physical security (if there even is such a thing), you should take some steps to make sure your system is a little more secure from someone sitting at the terminal. I'll go into this more in a later post.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment