Originally posted by: SystemAdmin

Hello Forum,

What are the best practices for securing the root user account?

user settings etc...

What about restricting root lgoin to just the HMC vterm?
What about ssh - denying login but allowing scripts/commands between servers?

Thanks!
#AIX-Forum

Originally posted by: SystemAdmin

Sorry - forgot version info:

AIX 5.3 TL 6 SP 4
#AIX-Forum

Originally posted by: shargus

For denying login but allowing scripts/commands between servers - On our servers, we modified /etc/profile to filter this out.
Interactive logins run /etc/profile, while remote execution through ssh does not.

if /usr/bin/tty == /usr/sbin/lscons --> they're logging in at the console. You may or may not want to allow that.

/usr/bin/logname - tells what account they logged in as (may not be the same as /usr/bin/who if they did a "su").
We use a file to list what accounts are "service" or "application" accounts that are not allowed direct login, while "user" accounts can.

We also make an exception for clusters - you can freely connect from one member of a cluster to another.

Of course, this doesn't prevent someone from remotely executing an interactive shell; i.e. "ssh SERVER /usr/bin/sh"
#AIX-Forum

Originally posted by: hdkutz

Hello,
to deny root login from ssh:
<snip sshd_config>
PermitRootLogin no
<snip>

It is also a good idea to protect your Systems via tcp_wrapper. The SSH-Binarys from Darren Tucker
http://home.zipworld.com.au/~dtucker/openssh/
have tcp_wrapper Support within.

Cheers,
ku
#AIX-Forum

Originally posted by: nicofr

Hi,

With SSH, you can block the remote login with password but allow login with ssh-key which could protect you against hackers but allows you to run script or connect from secure hosts.

In sshd_config :

PermitRootLogin without-password

By this way, if a user don't have the ssh key, he cannot connect.
#AIX-Forum

Originally posted by: cd3lgado

Hi

Best practices for protecting root begin by avoiding any access from network to root userid. That is, no remote shell using root, not even with SSH (you should not be using telnet by this time). Root userid must have properties that allow su command just form a very restricted and controlled group of sysadmin. It's a good idea to restrict access using root to the console device (it's supposed that your console is in a secured room). You can configure the sudo command in order to give access to some priviledge commands ran by root to your sysadmin group. The goal is to avoid the use of root userid.

Second layer of protection: good passwords. AIX allows for a very strong password creation rules by using the /etc/security/user file. Good passwords are at least 8 characters long and have combinations of digits, special characters and capital letters.

Third layer: auditing of any root activity by using the syslogd daemon and audit subsystem.

Hope this helps
#AIX-Forum