Board index Linux General Stuffs

Moderator: chandranjoy

Quickly Secure CentOS 5 - Enable sudo,disable root

Postby chandranjoy » Wed Oct 13, 2010 6:02 pm

CentOS differs from many other distros by enabling root account during setup. I prefer the Ubuntu’s (and OS X’s) way of using a separate admin account and having root account disabled. When there is a need to perform administrative task, just run the command with sudo and easily prevent the risk of abusing root privileges and doing stupid things. Following this guide, I was able to make this work on CentOS.

1. First, log in as root account. You can switch to root account from any account by running su and typing the root password.
2. Enabling sudo. If you are not comfortable with vim, run
export EDITOR=gedit


first. Now run
/usr/sbin/visudo


The lines starting with # are comment lines and will be ignored. Just uncomment the following line:
# %wheel ALL=(ALL) ALL


by removing the # at the beginning. This line means that anybody in the group wheel can use sudo to run anything from anywhere.
3. Add an account to group wheel. For example, if the account you use to perform administrative task is isteering, run
gpasswd -a isteering wheel


Now you can sudo from user isteering
4. Disable root account. This is done by running passwd to lock the account:
passwd -l root


It is quite obvious after we perform the above steps, we have just created a second root account: the user isteering is exactly the same as root user, just having a different name. So we have not added much protection, if the attacker can guess the name of this new account. So you might want to consider limiting where the user can log in from. Use your favorite editor to edit file /etc/security/access.conf. Add the following lines for the admin group:

-:wheel:ALL EXCEPT LOCAL 192.168.1. 72.14.207.99


This will deny user in group wheel to log in from anywhere but 192.168.1. subnetwork (note the suffix dot) or host 72.14.207.99. You still need to add this line
auth required pam_access.so


to /etc/pam.d/sshd to tell SSH server to consult the access control, otherwise SSH server by default will ignore this access control mechanism built in PAM.

Cheers :)
chandranjoy
Site Admin
 
Posts: 283
Joined: Fri Oct 23, 2009 11:19 pm

Return to General Stuffs

Who is online

Users browsing this forum: No registered users and 2 guests


cron