- Oracle 11g Anti-hacker's Cookbook
- Adrian Neagu
- 458字
- 2021-08-05 18:41:32
Restricting direct login and su access
On critical systems it is usually considered a bad practice to allow direct remote logins to system users, such as root or other application owners, and shared users, such as oracle. As a method for better control and from the user audit point of view, it is recommended to create different login users that will be allowed to connect and perform switches (su) to users considered critical. No other users should be exposed to the external world to allow direct, remote, or local connections.
In this recipe, we will create a group log and a user named loguser1, and we will disable direct logins for all others.
Getting ready
All steps will be performed on nodeorcl1.
How to do it...
- Create a designated group for users allowed to log in:
[root@nodeorcl1 ~]# groupadd logingrp - Create an user and assign it to
logingrpgroup as follows:[root@nodeorcl1 ~]# useradd -g logingrp loginuser1 - To disable direct login for all users add the following line to
/etc/pam.d/system-auth:account required pam_access.so - Uncomment and modify the following line from
/etc/security/access.conf::ALL EXCEPT logingrp :ALL - All logins excepting users from the
logingrpgroup will be denied. If we try to connect fromnodeorcl5the connection will be closed:[loguser1@nodeorcl5 ~]$ ssh -l oracle nodeorcl1 oracle@nodeorcl1's password: Connection closed by 10.241.132.218 [loguser1@nodeorcl5 ~]$
- The connection succeeds as
loginuser1:[loguser1@nodeorcl5 ~]$ ssh -l loginuser1 nodeorcl1 loguser1@nodeorcl1's password: [loguser1@nodeorcl1 ~]$
- To disable the
sucapabilities for all users exemptingloginuser1, open/etc/pam.d/suand uncomment the following line as instructed in the file:# Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid
- At this moment all users that don't belong to the
wheelgroup are not allowed to switch to an other user. Addloginuser1to thewheelgroup as follows. In this way the only user that may executesucommand will beloginuser1:[root@nodeorcl1 etc]# usermod -G wheel loginuser1 - If you try to execute an
sucommand with theoracleuser, you will getincorrect passwordmessage, and the switch cannot be performed:[oracle@nodeorcl1 ~]$ su - Password: su: incorrect password [oracle@nodeorcl1 ~]$
- But as user
loguser1it succeeds:[loguser1@nodeorcl1 ~]$ su - Password: [root@nodeorcl1 ~]#
How it works...
The PAM module that performs the login check is pam_access.so, with the control flag set to required and the module type account. The control of su command is performed by the pam_wheel.so module.
There's more...
At this moment all users who do not belong to the group logusers are not allowed to log in locally or remotely. The only exemption is root login using ssh. We will see how to deny remote root logins with ssh in the following recipe, Securing SSH login.
- ArchiCAD 19:The Definitive Guide
- PPT,要你好看
- Word 2000、Excel 2000、PowerPoint 2000上機指導與練習
- 西門子PLC與InTouch綜合應用
- 數據挖掘方法及天體光譜挖掘技術
- 西門子S7-200 SMART PLC實例指導學與用
- Visual FoxPro數據庫基礎及應用
- 分數階系統分析與控制研究
- 菜鳥起飛系統安裝與重裝
- 邊緣智能:關鍵技術與落地實踐
- Dreamweaver CS6中文版多功能教材
- 計算智能算法及其生產調度應用
- Cloudera Hadoop大數據平臺實戰指南
- Win 7二十一
- Mastering Android Game Development with Unity