Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 640

Chapter 43. Securing Your Network
43.1.4.2.2. Disabling Root Logins
To further limit access to the root account, administrators can disable root logins at the console by
editing the /etc/securetty file. This file lists all devices the root user is allowed to log into. If the
file does not exist at all, the root user can log in through any communication device on the system,
whether via the console or a raw network interface. This is dangerous, because a user can log in to
his machine as root via Telnet, which transmits the password in plain text over the network. By default,
Red Hat Enterprise Linux's /etc/securetty file only allows the root user to log in at the console
physically attached to the machine. To prevent root from logging in, remove the contents of this file by
typing the following command:
echo > /etc/securetty
Warning
A blank /etc/securetty file does not prevent the root user from logging in remotely
using the OpenSSH suite of tools because the console is not opened until after
authentication.
43.1.4.2.3. Disabling Root SSH Logins
To prevent root logins via the SSH protocol, edit the SSH daemon's configuration file (/etc/ssh/
sshd_config). Change the line that reads:
# PermitRootLogin yes
to read as follows:
PermitRootLogin no
43.1.4.2.4. Disabling Root Using PAM
PAM, through the /lib/security/pam_listfile.so module, allows great flexibility in denying
specific accounts. The administrator can use this module to reference a list of users who are not
allowed to log in. Below is an example of how the module is used for the vsftpd FTP server in the /
etc/pam.d/vsftpd PAM configuration file (the \ character at the end of the first line in the following
example is not necessary if the directive is on one line):
auth required /lib/security/pam_listfile.so
sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
This instructs PAM to consult the /etc/vsftpd.ftpusers file and deny access to the service for
any listed user. The administrator can change the name of this file, and can keep separate lists for
each service or use one central list to deny access to multiple services.
If the administrator wants to deny access to multiple services, a similar line can be added to the PAM
configuration files, such as /etc/pam.d/pop and /etc/pam.d/imap for mail clients, or /etc/
pam.d/ssh for SSH clients.
For more information about PAM, refer to
614
item=user \
Section 43.4, "Pluggable Authentication Modules (PAM)".