Root under Linux access control

Linux is currently the more popular network server operating system, it inherits the UNIX system security, stability, efficiency and so on. Root on Linux systems with the highest authority, for this reason that attackers tend to get Root access to the target. As an administrator how to effectively manage it effectively on the Root? Article from the perspective of access control to provide a few safety tips. Presentation environment Red Hat Enterprise Linux 5 1, remote login We know that in RHEL system, the default is to allow remote login directly to the Root user. If the attacker access to the Root password, then log in remotely, and that the fall of the entire server. Therefore, we limit the permissions to do Root, refuse remote login. Thus, even if the attacker access to the Root password, we can not control the server via remote login. Root remote login restrictions There are many ways, I recommend to you two. (1) SSH restrictions We know that SSH is a Linux system for remote maintenance and management of a service, similar to the Windows system using Telnet or Remote Desktop 3389. Root via SSH remote login restrictions, we need to do is modify the SSH configuration file. Find / etc / ssh / sshd_config file, and add PermitRootLogin no. Note that Linux systems are case sensitive, not wrong. Input is complete, save and exit, and then enter the command service sshd restart restart the SSH service changes to take effect. So that when a remote connection through the Root Linux server, it will refuse the connection. (Figure 1) (2) PAM authentication We can also use the PAM authentication module to reject Root user to log system can be achieved through the following actions. Open / etc / pam.d / sshd file, in the first line to the auth required / lib / security / pam_listfile.so item = user sense = deny file = / etc / sshduser onerr = succeed this statement. The implication is that the login account and password authentication is valid, only certified in order to log in, otherwise the end of the certification denied login. The authentication module which is / lib / security / pam_listfile.so, authenticated user is the user (user), but this can be set (group), authentication method is to reject (deny), certification document is / etc / sshduser, file name and the directory is free, if the authentication is successful on the return (succeed). (Figure 2) Then we create a certificate file, run the command in a terminal echo “root” / etc / sshduser to create, of course, we can use vi to open sshduser file to add users. It should be noted that when there are multiple users, each user occupies one line. Added, the re-use Root to log server log can be seen to be rejected. (Figure 3) [1] [2] [3] Next