zemotard
Hot Shot
Hot Shot

Improve security access --> How to rename root account ?

Jump to solution

Hi, is it possible to rename root access ?

What 's the best practice to avoid to use root login ?

Regards

Best Regards If this information is useful for you, please consider awarding points for "Correct" or "Helpful".
0 Kudos
1 Solution

Accepted Solutions
pcomo
Enthusiast
Enthusiast

hi,

if you want to avoid root login for ssh connection, check your sshd_config file in etc/ssh/ directory and modify the following line with no

LoginGraceTime 120

PermitRootLogin yes -> PermitRootLogin no

#StrictModes yes

restart sshd daemon : service sshd restart

create new user for logon and use su- if you need root permission.

You could use a Veeam software to create and modify root acces easily

I hope that i help you

View solution in original post

0 Kudos
3 Replies
dkfbp
Expert
Expert

I don't know why you want to avoid root login. Root is already denied login from SSH and is only allowed login from the console.

But you can open the file /etc/passwd and change /bin/bash to /sbin/nologin in the line that starts with root. When you have done that

root will be unable to logon to the system from the console. Personally I would just deny root ssh access and use a secure password for root.

Best regards Frank Brix Pedersen blog: http://www.vfrank.org
pcomo
Enthusiast
Enthusiast

hi,

if you want to avoid root login for ssh connection, check your sshd_config file in etc/ssh/ directory and modify the following line with no

LoginGraceTime 120

PermitRootLogin yes -> PermitRootLogin no

#StrictModes yes

restart sshd daemon : service sshd restart

create new user for logon and use su- if you need root permission.

You could use a Veeam software to create and modify root acces easily

I hope that i help you

0 Kudos
Texiwill
Leadership
Leadership

Hello,

NEVER EVER deny Root the ability to login from the console... using /sbin/nologin will cause all sorts of things to fail including all the cron jobs which keep the system cleaned up and running smoothly. Also this prevents you from running anything as root which is necessary when maintaining the system.

SSH by default does not allow root logins. So if you have not changed this then all is good. Root can be renamed but will always be UID/GID 0 which is just another way of saying the label is changed but there is always a root user and group. Changing the name does not change the fact that it is impossible to change the UID/GID. It is incredibly easy to determine the new name in use as the file it is stored in has to be world readable. The passwords are not in this so all is good. Personally I would leave it alone.

You can disallow SU ability by only allowing those in the wheel group to su to root, then have no one in the wheel group. You can edit /etc/pam.d/su and uncomment the appropriate line. Then I would also create an ADMIN group and setup SUDO so that those in the ADMIN group can use SUDO to run commands as root. SUDO gives the added ability to track who did what when.

You can not deny root access and have a running, maintainable system. But you can setup an audit trail and allow only those that should run the maintenance commands the ability to do so.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos