1. GRUB password
i. run as root with /sbin/grub-md5-crypt to get a MD5 hash.
ii. add “password –md5 <password-hash>” below timeout line in /boot/grub/grub.conf
iii. prees p when access grub menu
2. Administrative Controls for Root
Methods of Disabling the Root Account
| Method |
Description |
Effects |
Does Not Affect |
| Changing the root shell. |
Edit the /etc/passwd file and change the shell from/bin/bash to /sbin/nologin. |
| Prevents access to the root shell and logs any such attempts. |
| The following programs are prevented from accessing the root account: |
· login |
· gdm |
· kdm |
· xdm |
· su |
· ssh |
· scp |
· sftp |
|
| Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs. |
| The following programs arenot prevented from accessing the root account: |
· sudo |
| · FTP clients |
| · Email clients |
|
| Disabling root access via any console device (tty). |
An empty /etc/securetty file prevents root login on any devices attached to the computer. |
| Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account: |
· login |
· gdm |
· kdm |
· xdm |
| · Other network services that open a tty |
|
| Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms. |
| The following programs arenot prevented from accessing the root account: |
· su |
· sudo |
· ssh |
· scp |
· sftp |
|
| Disabling root SSH logins. |
Edit the /etc/ssh/sshd_configfile and set thePermitRootLogin parameter tono. |
| Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account: |
· ssh |
· scp |
· sftp |
|
| This only prevents root access to the OpenSSH suite of tools. |
|
| Use PAM to limit root access to services. |
Edit the file for the target service in the /etc/pam.d/directory. Make sure thepam_listfile.so is required for authentication. |
| Prevents root access to network services that are PAM aware. |
| The following services are prevented from accessing the root account: |
| · FTP clients |
| · Email clients |
· login |
· gdm |
· kdm |
· xdm |
· ssh |
· scp |
· sftp |
| · Any PAM aware services |
|
| Programs and services that are not PAM aware. |
|
3. Checking Listening Ports
nmap -sT -O localhost ; netstat -atunp ; lsof -i
4. Access Control to Network Services Flowchart
Recent Comments