Solved

centos secure root

Posted on 2014-09-04
6
331 Views
Last Modified: 2014-09-20
Today when I logged in as "root" to my box via ssh I saw 459 failed attempts. . . how do I make it so that after 2 failed attempts - it will lock the  out ?
0
Comment
Question by:Starquest321
6 Comments
 

Author Comment

by:Starquest321
ID: 40303432
Another option is to somehow set some verified IP's where we can SSH from . . .
0
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 100 total points
ID: 40303800
you can use pam_tally to configure account lockout policy though i don't recommend for root

Locking User Accounts After Too Many Login Failures
http://www.puschitz.com/SecuringLinux.shtml#LockingUserAccountsAfterTooManyLoginFailures

probably a safer option is to disable ssh access for root which still allows for su and sudo

Security Tip: Disable Root SSH Login on Linux
http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40305722
You can use public keys only for root:
man sshd_config
    PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
             must be “yes”, “without-password”, “forced-commands-only”, or
             “no”.  The default is “yes”.

             If this option is set to “without-password”, password authentica-
             tion is disabled for root.

             If this option is set to “forced-commands-only”, root login with
             public key authentication will be allowed, but only if the
             command option has been specified (which may be useful for taking
             remote backups even if root login is normally not allowed).  All
             other authentication methods are disabled for root.

             If this option is set to “no”, root is not allowed to log in.

Selinux will prevent access to root's public key, so you need to make peace with it first before disabling password login

Also nice idea to add trusted users to wheel group and enable that groups sudo with visudo.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 28

Assisted Solution

by:serialband
serialband earned 100 total points
ID: 40306502
Is this a public login server?  If not, change the default ssh port to something above 1024.  Don't use 22 if you don't want constant script kiddie brute force attempts.  Once they've discovered you, they'll keep attacking you from various IP addresses.

I've managed some public login servers and the logs are filled with password attempts on various accounts.  They eventually figure out your timeout period and come at you from multiple IPs and multiple servers.  I changed the ports on private servers to something other than port 22, and I get no attempts.
0
 
LVL 13

Assisted Solution

by:Sandy
Sandy earned 100 total points
ID: 40309929
Hardening needed here...

1. If password is quiet easy then change it to a complex one.
2. As Simmons suggested configure Account lockout
3. As Gheist suggested use public key to login
4. Modify the ssh port
5. Install software like HIDS to have eye on every single attempt to inject.

TY/SA
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40309946
3a use unprivileged accounts to ascend to root via sudo when needed....
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question