Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: root lockout
Top Forums UNIX for Dummies Questions & Answers root lockout Post 44141 by Kelam_Magnus on Monday 1st of December 2003 11:55:55 AM
Old 12-01-2003
When you say " another super user" I hope you dont mean adding a 2nd root account to the passwd file with 0 UID.

This can present many problems, not the least of which is when you do userdel -r root2 and remove all files owned by root... DONT DO THIS!!!!

Make sure at least you and your supervisor or backup has the root password as well as access to the machine incase of the "You get hit by a bus" syndrome...


Since you are new, here are a few security tips.....

I would also remove any users who are old or havent logged in since 6 months, or used to have root but no longer work there. this prevents any coworkers who may have had their password from logging in as another user.

Limit permissions on or remove .rhosts files in users' home directories... this gives equivalency on other boxes, as that user without a password.

I would suggest using the /etc/hosts.allow and /etc/hosts.deny files as well... to prevent unwanted remote access via open ports.

Use these as a template. You must have these loaded for each line to be valid.

# cat /etc/hosts.allow
#all : all : banners=/usr/localcw/opt/sysguard/banners : allow
ftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
telnetd : all : banners=/usr/localcw/opt/sysguard/banners : allow
tftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
logind : all : banners=/usr/localcw/opt/sysguard/banners : allow
rlogind : all : banners=/usr/localcw/opt/sysguard/banners : allow
remshd: all : banners=/usr/localcw/opt/sysguard/banners : allow
sidftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
rexecd : all : banners=/usr/localcw/opt/sysguard/banners : allow
sshd : all : banners=/usr/localcw/opt/sysguard/banners : allow

# cat /etc/hosts.deny
# Deny all hosts
ALL : ALL


Also, shutdown any services you dont need... such as many of the R*commands, rcp, rlogin, .rhosts...
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Lockout Users

I am using AIx 4.3.3 and was wondering what the command was to keep users from logging in. I want to be able to do maintenance and keep the users out. Can anyone help? (7 Replies)
Discussion started by: cgillett
7 Replies

2. AIX

user lockout...

Hi, We are using 4.3.3.0 and I would like to make a global change to the "number of failed logins before user account is locked" Any ideas, other than using SMIT one user at a time.... ??? Thanks... Craig. (2 Replies)
Discussion started by: stumpy
2 Replies

3. AIX

lockout su for 1 user

I want to know if there is any easy way of stopping 1 user from using su? perferabily any su but I can make do with not allow him to su to root but allow other user to su to root. (3 Replies)
Discussion started by: daveisme
3 Replies

4. Red Hat

Account lockout policy

Hi all; I m using Red Hat Enterprise Linux Server release 5.1 (Tikanga) and I'm trying to setup password lockout policy so that a user account locks out after 3 failed attempts. Here are the entires of my /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes... (1 Reply)
Discussion started by: maverick_here
1 Replies

5. UNIX and Linux Applications

Account lockout using Openldap

What is the best way to implement account lockout in openldap? I have an openldap server with Ubuntu desktop client connecting to it for authentication. I want he accounts to locked out after say 5 failed authentication attempts I have enabled ppolicy layout in slapd.conf. overlay ppolicy... (0 Replies)
Discussion started by: nitin09
0 Replies

6. Red Hat

Account Lockout on Redhat

On a redhat linux 4 server, how to find if there is an account lockout duration is set. Is it configured under pam or /etc/shadow? what entries I need to find out? Is it pam_time.so module? I desperately need an answer because on one of the servers, no one was able to login through any account... (4 Replies)
Discussion started by: Tirmazi
4 Replies

7. Red Hat

Account lockout

having account lockout issues with an RHEL 5 server. My users are getting locked out for 10 minutes after one failed login attempt even though /etc/pam.d/sshd is configured for 5 failed attempts: auth include system-auth auth required pam_tally2.so deny=5 onerr=fail... (1 Reply)
Discussion started by: nerdalert
1 Replies

8. Solaris

Secman lockout

Greetings, I work with a Solaris Sun Server V240 system (GCCS) and have run into a problem where I can't seem to unlock my SECMAN account at the NON-GLOBAL level. I have access to all global accounts to include sysadmin and secman. I have access to the non-global sysadmin account and root... (4 Replies)
Discussion started by: TLAMGUY
4 Replies

9. Red Hat

RHEL4.8 no notification on PAM lockout

Good day. I have setup hardening the password (test system so far) prior to doing any work on production. Here is what I have set. Snippet from /etc/pam.d/system-auth auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_tally.so... (3 Replies)
Discussion started by: smurphy_it
3 Replies

LEARN ABOUT SUNOS

gpasswd

GPASSWD(1)                                                         User Commands                                                        GPASSWD(1)

NAME

       gpasswd - administer /etc/group and /etc/gshadow

SYNOPSIS

       gpasswd [option] group

DESCRIPTION

       The gpasswd command is used to administer /etc/group, and /etc/gshadow. Every group can have administrators, members and a password.

       System administrators can use the -A option to define group administrator(s) and the -M option to define members. They have all rights of
       group administrators and members.

       gpasswd called by a group administrator with a group name only prompts for the new password of the group.

       If a password is set the members can still use newgrp(1) without a password, and non-members must supply the password.

   Notes about group passwords
       Group passwords are an inherent security problem since more than one person is permitted to know the password. However, groups are a useful
       tool for permitting co-operation between different users.

OPTIONS

       Except for the -A and -M options, the options cannot be combined.

       The options which apply to the gpasswd command are:

       -a, --add user
           Add the user to the named group.

       -d, --delete user
           Remove the user from the named group.

       -h, --help
           Display help message and exit.

       -Q, --root CHROOT_DIR
           Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.

       -r, --remove-password
           Remove the password from the named group. The group password will be empty. Only group members will be allowed to use newgrp to join
           the named group.

       -R, --restrict
           Restrict the access to the named group. The group password is set to "!". Only group members with a password will be allowed to use
           newgrp to join the named group.

       -A, --administrators user,...
           Set the list of administrative users.

       -M, --members user,...
           Set the list of group members.

CAVEATS

       This tool only operates on the /etc/group and /etc/gshadow files.  Thus you cannot change any NIS or LDAP group. This must be performed on
       the corresponding server.

CONFIGURATION

       The following configuration variables in /etc/login.defs change the behavior of this tool:

       ENCRYPT_METHOD (string)
           This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line).

           It can take one of these values: DES (default), MD5, SHA256, SHA512.

           Note: this parameter overrides the MD5_CRYPT_ENAB variable.

           Note: This only affect the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM
           configuration. It is recommended to set this variable consistently with the PAM configuration.

       MAX_MEMBERS_PER_GROUP (number)
           Maximum members per group entry. When the maximum is reached, a new group entry (line) is started in /etc/group (with the same name,
           same password, and same GID).

           The default value is 0, meaning that there are no limits in the number of members in a group.

           This feature (split group) permits to limit the length of lines in the group file. This is useful to make sure that lines for NIS
           groups are not larger than 1024 characters.

           If you need to enforce such limit, you can use 25.

           Note: split groups may not be supported by all tools (even in the Shadow toolsuite). You should not use this variable unless you really
           need it.

       MD5_CRYPT_ENAB (boolean)
           Indicate if passwords must be encrypted using the MD5-based algorithm. If set to yes, new passwords will be encrypted using the
           MD5-based algorithm compatible with the one used by recent releases of FreeBSD. It supports passwords of unlimited length and longer
           salt strings. Set to no if you need to copy encrypted passwords to other systems which don't understand the new algorithm. Default is
           no.

           This variable is superseded by the ENCRYPT_METHOD variable or by any command line option used to configure the encryption algorithm.

           This variable is deprecated. You should use ENCRYPT_METHOD.

           Note: This only affect the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM
           configuration. It is recommended to set this variable consistently with the PAM configuration.

       SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)
           When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the number of SHA rounds used by the encryption algorithm by default (when
           the number of rounds is not specified on the command line).

           With a lot of rounds, it is more difficult to brute forcing the password. But note also that more CPU resources will be needed to
           authenticate users.

           If not specified, the libc will choose the default number of rounds (5000).

           The values must be inside the 1000-999,999,999 range.

           If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS values is set, then this value will be used.

           If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest value will be used.

           Note: This only affect the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM
           configuration. It is recommended to set this variable consistently with the PAM configuration.

FILES

       /etc/group
           Group account information.

       /etc/gshadow
           Secure group account information.

SEE ALSO

       newgrp(1), groupadd(8), groupdel(8), groupmod(8), grpck(8), group(5), gshadow(5).

shadow-utils 4.5                                                    01/25/2018                                                          GPASSWD(1)
All times are GMT -4. The time now is 11:06 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy