Hi, is it possible to rename root access ?
What 's the best practice to avoid to use root login ?
Regards
hi,
if you want to avoid root login for ssh connection, check your sshd_config file in etc/ssh/ directory and modify the following line with no
LoginGraceTime 120
PermitRootLogin yes -> PermitRootLogin no
#StrictModes yes
restart sshd daemon : service sshd restart
create new user for logon and use su- if you need root permission.
You could use a Veeam software to create and modify root acces easily
I hope that i help you
I don't know why you want to avoid root login. Root is already denied login from SSH and is only allowed login from the console.
But you can open the file /etc/passwd and change /bin/bash to /sbin/nologin in the line that starts with root. When you have done that
root will be unable to logon to the system from the console. Personally I would just deny root ssh access and use a secure password for root.
hi,
if you want to avoid root login for ssh connection, check your sshd_config file in etc/ssh/ directory and modify the following line with no
LoginGraceTime 120
PermitRootLogin yes -> PermitRootLogin no
#StrictModes yes
restart sshd daemon : service sshd restart
create new user for logon and use su- if you need root permission.
You could use a Veeam software to create and modify root acces easily
I hope that i help you
Hello,
NEVER EVER deny Root the ability to login from the console... using /sbin/nologin will cause all sorts of things to fail including all the cron jobs which keep the system cleaned up and running smoothly. Also this prevents you from running anything as root which is necessary when maintaining the system.
SSH by default does not allow root logins. So if you have not changed this then all is good. Root can be renamed but will always be UID/GID 0 which is just another way of saying the label is changed but there is always a root user and group. Changing the name does not change the fact that it is impossible to change the UID/GID. It is incredibly easy to determine the new name in use as the file it is stored in has to be world readable. The passwords are not in this so all is good. Personally I would leave it alone.
You can disallow SU ability by only allowing those in the wheel group to su to root, then have no one in the wheel group. You can edit /etc/pam.d/su and uncomment the appropriate line. Then I would also create an ADMIN group and setup SUDO so that those in the ADMIN group can use SUDO to run commands as root. SUDO gives the added ability to track who did what when.
You can not deny root access and have a running, maintainable system. But you can setup an audit trail and allow only those that should run the maintenance commands the ability to do so.
Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074