You are not logged in.

#1 2007-03-05 02:14:59

T-Dawg
Forum Fellow
From: Charlotte, NC
Registered: 2005-01-29
Posts: 2,736

My secure root HOWTO

I was recently trying to think of a good way to secure my root account the best way possible and came up with this idea. It works great for me so I thought I'd share.

This method will involve three major users including the sudo program. First being a regular everyday user which we'll call user. Second is the root user and third will be an intermediate user we'll call foo. To access the root account, who's password will be locked, the user will have to have permissions to access foo which in turn will have access to root via sudo su -. Basically, foo is the root user but the idea here is that first a remote hacker must know the regular user's account and password (which may have ssh access) then must know the intermediate users name and password (ssh denied) to sudo to root.

Here's the basic setup:

1) Log on to root in two real terminals by entering alt+f1 and alt+f2. You'll have a backup in case something goes wrong
2)lock the password so no possible value will be accepted

# passwd -l root

3)create the intermediate user. This should be a unique name as half the battle is knowing the right username.

useradd -s /bin/bash foo

4)set it's password. This should be a strong value as it is effectively your sudo root's password

passwd foo

5)allow foo access to /bin/su -

visudo
root ALL=(ALL) ALL
foo ALL=(ALL) NOPASSWD:/bin/su -

6)create a getroot script which allow the regular user to switch user to foo and execute sudo su -

#!/bin/bash

/bin/su foo -c "/usr/bin/sudo su -"

place it in /usr/bin/ and change owner to root:foo and permissions 0750. This will deny all but members of the foo group to access it:

chown root:foo /usr/bin/getroot
chmod 0750 /usr/bin/getroot

7)add the regular user to the wheel group so he/she may be able to switch over to foo and the foo group to execute the getroot script.

gpasswd -a user wheel
gpasswd -a user foo

Now you can test it out. Make sure you leave your other root window open in case something doesn't work and exit out of your current terminal. Login as the regular user and run the getroot script. You will be prompted for foo's password which will then switch you into root.

Using ssh:
you'll want to disable root login as well as foo otherwise we've nearly defeated our purpose. Open up /etc/ssh/sshd_config:

PermitRootLogin no
DenyUsers foo

Offline

#2 2007-03-05 03:40:53

hacosta
Member
From: Mexico
Registered: 2006-10-22
Posts: 423

Re: My secure root HOWTO

seems good.. or you can just deny su  access to all users who are not in the wheel group and just have foo in that group, it would be *almost* as secure.. great contribution though, i might give it a shot in my server box

Offline

Board footer

Powered by FluxBB