Solved

centos secure root

Posted on 2014-09-04
6
333 Views
Last Modified: 2014-09-20
Today when I logged in as "root" to my box via ssh I saw 459 failed attempts. . . how do I make it so that after 2 failed attempts - it will lock the  out ?
0
Comment
Question by:Starquest321
6 Comments
 

Author Comment

by:Starquest321
ID: 40303432
Another option is to somehow set some verified IP's where we can SSH from . . .
0
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 100 total points
ID: 40303800
you can use pam_tally to configure account lockout policy though i don't recommend for root

Locking User Accounts After Too Many Login Failures
http://www.puschitz.com/SecuringLinux.shtml#LockingUserAccountsAfterTooManyLoginFailures

probably a safer option is to disable ssh access for root which still allows for su and sudo

Security Tip: Disable Root SSH Login on Linux
http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40305722
You can use public keys only for root:
man sshd_config
    PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
             must be “yes”, “without-password”, “forced-commands-only”, or
             “no”.  The default is “yes”.

             If this option is set to “without-password”, password authentica-
             tion is disabled for root.

             If this option is set to “forced-commands-only”, root login with
             public key authentication will be allowed, but only if the
             command option has been specified (which may be useful for taking
             remote backups even if root login is normally not allowed).  All
             other authentication methods are disabled for root.

             If this option is set to “no”, root is not allowed to log in.

Selinux will prevent access to root's public key, so you need to make peace with it first before disabling password login

Also nice idea to add trusted users to wheel group and enable that groups sudo with visudo.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 29

Assisted Solution

by:serialband
serialband earned 100 total points
ID: 40306502
Is this a public login server?  If not, change the default ssh port to something above 1024.  Don't use 22 if you don't want constant script kiddie brute force attempts.  Once they've discovered you, they'll keep attacking you from various IP addresses.

I've managed some public login servers and the logs are filled with password attempts on various accounts.  They eventually figure out your timeout period and come at you from multiple IPs and multiple servers.  I changed the ports on private servers to something other than port 22, and I get no attempts.
0
 
LVL 13

Assisted Solution

by:Sandy
Sandy earned 100 total points
ID: 40309929
Hardening needed here...

1. If password is quiet easy then change it to a complex one.
2. As Simmons suggested configure Account lockout
3. As Gheist suggested use public key to login
4. Modify the ssh port
5. Install software like HIDS to have eye on every single attempt to inject.

TY/SA
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40309946
3a use unprivileged accounts to ascend to root via sudo when needed....
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question