Solved

centos secure root

Posted on 2014-09-04
6
322 Views
Last Modified: 2014-09-20
Today when I logged in as "root" to my box via ssh I saw 459 failed attempts. . . how do I make it so that after 2 failed attempts - it will lock the  out ?
0
Comment
Question by:Starquest321
6 Comments
 

Author Comment

by:Starquest321
ID: 40303432
Another option is to somehow set some verified IP's where we can SSH from . . .
0
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 100 total points
ID: 40303800
you can use pam_tally to configure account lockout policy though i don't recommend for root

Locking User Accounts After Too Many Login Failures
http://www.puschitz.com/SecuringLinux.shtml#LockingUserAccountsAfterTooManyLoginFailures

probably a safer option is to disable ssh access for root which still allows for su and sudo

Security Tip: Disable Root SSH Login on Linux
http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40305722
You can use public keys only for root:
man sshd_config
    PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
             must be “yes”, “without-password”, “forced-commands-only”, or
             “no”.  The default is “yes”.

             If this option is set to “without-password”, password authentica-
             tion is disabled for root.

             If this option is set to “forced-commands-only”, root login with
             public key authentication will be allowed, but only if the
             command option has been specified (which may be useful for taking
             remote backups even if root login is normally not allowed).  All
             other authentication methods are disabled for root.

             If this option is set to “no”, root is not allowed to log in.

Selinux will prevent access to root's public key, so you need to make peace with it first before disabling password login

Also nice idea to add trusted users to wheel group and enable that groups sudo with visudo.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 27

Assisted Solution

by:serialband
serialband earned 100 total points
ID: 40306502
Is this a public login server?  If not, change the default ssh port to something above 1024.  Don't use 22 if you don't want constant script kiddie brute force attempts.  Once they've discovered you, they'll keep attacking you from various IP addresses.

I've managed some public login servers and the logs are filled with password attempts on various accounts.  They eventually figure out your timeout period and come at you from multiple IPs and multiple servers.  I changed the ports on private servers to something other than port 22, and I get no attempts.
0
 
LVL 13

Assisted Solution

by:Sandy
Sandy earned 100 total points
ID: 40309929
Hardening needed here...

1. If password is quiet easy then change it to a complex one.
2. As Simmons suggested configure Account lockout
3. As Gheist suggested use public key to login
4. Modify the ssh port
5. Install software like HIDS to have eye on every single attempt to inject.

TY/SA
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40309946
3a use unprivileged accounts to ascend to root via sudo when needed....
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now