Solved

prevent reset password on centos

Posted on 2013-01-20
4
724 Views
Last Modified: 2013-02-05
how am i disable anyone from reset my centos root password if he was able to reboot and lan access to my pc.
0
Comment
Question by:john80988
4 Comments
 

Expert Comment

by:zmeh
ID: 38798291
You can protect single user mode in boot loader level.
It's from wiki.centos.org
For directions on protecting grub, see BIOS and Boot Loader Security. To require root's password for single user mode, you can use:

echo "# Require the root pw when booting into single user mode" >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
echo "Don't allow any nut to kill the server"
perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab

You must secure booting from other devices like dvd/usb in BIOS, and secure BIOS editing by password. That's all I can think of.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38798296
I assume that you have GRUB (boot loader) installed.

This boot loader can be password secured in a way that users which do not know this password are prevented from access to Single User Mode and also from booting into an insecure OS (dual boot).

Chapter 47.1.2.2 of the RedHat Deployment Guide:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-sec-network.html#ch-wstation

has detailed info on this. In chapter 47.1.2.1 there are instructions how to secure the BIOS so that booting from external media is prevented.

wmp
0
 
LVL 11

Accepted Solution

by:
Giladn earned 500 total points
ID: 38798328
In addition to the above, make sure you cover all angels..
 

make sure you notice there's no physical access to your server with usb\cd etc
otherwise nothing you do will be useful , in addition, if you want to prevent access from   external devices to your file system you might want to encrypt it..

also, make sure the user has not created a backdoor (via reverse_tcp etc) or an elevated privileged user that he logs in with and resets your password with.

Hope this helps,

G
0
 
LVL 9

Expert Comment

by:crazedsanity
ID: 38801416
Make sure there is no physical access to the machine: if there is, you'll have to go with some fairly extreme measures to keep someone from tampering with the system.  Assuming that you're the only one with physical access to the machine (or at least this other person has no access to it):

Remove all capability of remotely logging into the system by stopping some services.  Use
netstat -at

Open in new window

to determine what ports are open (look for things like "*:ssh" for services that are listening for connections).  Hopefully you don't have anything like telnet or simple (insecure) FTP running.  Be sure to check the SSH configuration (usually in /etc/ssh/sshd_config) to make sure nobody can login directly as root... if you do this currently, stop, instead look at "sudo".
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question