[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: [LI] Re: restrict linux from booting in single user

To: linux-india@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [LI] Re: restrict linux from booting in single user
From: Suresh Ramasubramanian <r.suresh@xxxxxxxxxxxxxxx>
Date: Mon, 17 Jan 2000 09:03:20 +0530 (IST)
Cc: Tiwari Pankaj <pankaj@xxxxxxxxxxxxxxxxxx>
In-reply-to: <200001161734.JAA01252@www.aunet.org>
Reply-to: linux-india
Sender: owner-linux-india@xxxxxxxxxxxxxxxxxxxxx

> we have a dns server at our college and few superuser accounts. However
> sometimes students manage to be superusers but booting linux in single
> user mode by passing linux 1  or linux single at lilo prompt.  This can be

Let's see - there are two or three levels of security you can use.

1. Physical level - disable all floppy drives from the CMOS and set
passwords (or remove them from all but a few machines).  This prevents
entry with Linux boot floppies.

2. Restrict root login access to only a few terminals, and keep those
terminals isolated, in a separate room.

3. Passwords are extremely leaky - especially in a college.  Force users
to change passwords regularly (make passwords expire on a weekly basis),
and make sure nobody writes the login / password on a post-it note and
pastes it on his terminal :)  Oh yes, make sure the passwd is not his name
reversed / his wife / kid / dog's name etc.

4. [suggested by somebody else on the list]

> i think there is some option whereby you can ensure password to be asked for
> while booting in single user mode. i think some option in lilo.conf, but that
> password will be in plaintext, so make lilo.conf read/write only to root.

Definitely do this.  Also, examine your log for all root logins (see
/var/log/secure for this).

5. Do not log into root for day to day tasks.  Have some users in the
staff group, with supervisor equivalent permissions.

6. Scan your network for open relays, old sendmail and other
vulnerablities.  For example, if you have an old (lower than 8.8.8)
sendmail, it's child's play to gain root shell access. See
http://www.rootshell.com for more.  Run nmap / saint to find out what
ports are running, insecure etc.

-- 
Suresh Ramasubramanian     | President, CAUCE India
r.suresh@xxxxxxxxxxxxxxx   | suresh@xxxxxxxxxxxxxxx
http://www.india.cauce.org | Stopping Spam In India

--
If Machiavelli were a hacker, he'd have worked for the CSSG.
		-- Phil Lapsley

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.

Prev by Subject: Re: [LI] Re: restrict linux from booting in single user
Next by Subject: Re: [LI] Re: restrict linux from booting in single user
Previous by thread: Re: [LI] Re: restrict linux from booting in single user
Next by thread: [LI] Redirection
Index(es):
- Subject
- Thread