Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

prevent reset password on centos

Posted on 2013-01-20
4
Medium Priority
?
748 Views
Last Modified: 2013-02-05
how am i disable anyone from reset my centos root password if he was able to reboot and lan access to my pc.
0
Comment
Question by:john80988
4 Comments
 

Expert Comment

by:zmeh
ID: 38798291
You can protect single user mode in boot loader level.
It's from wiki.centos.org
For directions on protecting grub, see BIOS and Boot Loader Security. To require root's password for single user mode, you can use:

echo "# Require the root pw when booting into single user mode" >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
echo "Don't allow any nut to kill the server"
perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab

You must secure booting from other devices like dvd/usb in BIOS, and secure BIOS editing by password. That's all I can think of.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38798296
I assume that you have GRUB (boot loader) installed.

This boot loader can be password secured in a way that users which do not know this password are prevented from access to Single User Mode and also from booting into an insecure OS (dual boot).

Chapter 47.1.2.2 of the RedHat Deployment Guide:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-sec-network.html#ch-wstation

has detailed info on this. In chapter 47.1.2.1 there are instructions how to secure the BIOS so that booting from external media is prevented.

wmp
0
 
LVL 11

Accepted Solution

by:
Giladn earned 2000 total points
ID: 38798328
In addition to the above, make sure you cover all angels..
 

make sure you notice there's no physical access to your server with usb\cd etc
otherwise nothing you do will be useful , in addition, if you want to prevent access from   external devices to your file system you might want to encrypt it..

also, make sure the user has not created a backdoor (via reverse_tcp etc) or an elevated privileged user that he logs in with and resets your password with.

Hope this helps,

G
0
 
LVL 9

Expert Comment

by:crazedsanity
ID: 38801416
Make sure there is no physical access to the machine: if there is, you'll have to go with some fairly extreme measures to keep someone from tampering with the system.  Assuming that you're the only one with physical access to the machine (or at least this other person has no access to it):

Remove all capability of remotely logging into the system by stopping some services.  Use
netstat -at

Open in new window

to determine what ports are open (look for things like "*:ssh" for services that are listening for connections).  Hopefully you don't have anything like telnet or simple (insecure) FTP running.  Be sure to check the SSH configuration (usually in /etc/ssh/sshd_config) to make sure nobody can login directly as root... if you do this currently, stop, instead look at "sudo".
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month13 days, 8 hours left to enroll

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question