Preventing root access


This is the second article in a series about hardening the security of GNU/Linux systems. This serie aims to provide useful, practical, hands on and easy to follow tutorial-like articles for any system administrator or user to implement.

In this series of articles we’ll use the CentOS 7 (Community Enterprise Operating System)[1] as our default operating system. CentOS is a free, enterprise-class, community-supported computing platform functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL)[2]. If you prefer an alternative operating system, please note that some configurations and packages might differ from what is described here.

If you like this article, have suggestions or comments; please feel free to leave a comment bellow.

About this article

This article provide instructions on how to configure your system to prevent any user, administrator or device to directly access the root account. By following the steps in this article your systems security will be tightened and many automated attacks, trying to access the root account, are avoided.

Preventing root access

Prevent remote access through SSH

The first step and the most simple configuration to make is to prevent the root account to remotely access your system through the SSH protocol. Permitting root to access a system through SSH exposes it to many automated attacks. By not permitting root access, any attacker would need to guess not only the password but a username as well, significantly increasing the complexity of the operation.

The configurations for permitting or restricting the root account to access a system trough SSH are done in the SSH daemon’s configuration file, the /etc/sshd_config file. Restricting access to the root account through SSH will only prevent the remote login. Any system administrator or user granted administrative authorities will still be able to remotely administrating the system using the sudo or su application, once a secure connection has been established.

The following two lines will restrict the root account to access the system through SSH:

sudo sed -i -e 's/#PermitRootLogin no/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd.service

Changing the root shell

The second step would be to prevent users or administrators to directly access the root account. This is achieved by changing the root account’s shell in the /etc/passwd configuration file and set it to /sbin/nologin.

This configuration will now prevent any access to the root shell and will log any attempts to access it. This configuration does only apply to login, gdm (or any other desktop manager), su, scp, sftp or any other application that requires a shell. Applications like sudo, ftp and e-mail clients are not affected by this configuration.

The following command line will change the root shell:

sudo sed -i -e '1 s:/bin/bash:/sbin/nologin:' /etc/passwd

Prevent access through console devices

The third step would be to prevent root access to any console devices (TTY) or raw network interfaces. This is achieved by modifying the /etc/securetty configuration file. The /etc/securetty configuration file allows you to specify which TTY devices the root account is allowed to login on to. Any device not specified in this file will not permit access.

The configuration file can either be left completely blanked or each device in the configuration file could be commented out, making it easier to restore the file if needed. A missing configuration file will be interpreted as allowing access to any console device. Therefor the file should under no circumstances be removed. The following command line will put the # symbol before each line, commenting out all devices:

sudo sed -i -e 's/^/#/' /etc/securetty

Please note that this configuration does not affect applications such as ssh, scp or sftp since the console is not opened until after authentication. This, however, was already managed by not permitting root to login via the SSH protocol.

Additional configurations

By taking these three steps we successfully tightened our systems security and now prevent any user to directly login to the root account. To take things even further we could use PAM (Pluggable Authentication Modules)[3]. PAM uses a pluggable, modular architecture, which affords the system administrator a great deal of flexibility in setting authentication policies for the system.

PAM offers the following advantages:

  • a common authentication scheme that can be used with a wide variety of applications.
  • significant flexibility and control over authentication for both system administrators and application developers.
  • a single, fully-documented library which allows developers to write programs without having to create their own authentication schemes.

A tutorial on how to set up PAM to further tighten your system security will be written in the future. Subscribe to this blog to get notified whenever a new post is published. If you liked this tutorial or have suggestions on how to better configure your system, please leave a comment below.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

five × three =