Here we are with this new article which is going to explain how to secure your system disabling root account on Ubuntu / Debian preventing to everybody to access to your system with such a high grade allowing to perform malicious actions or make serial damages to your environment.
We are going through different steps and maybe many of them can result redundant but you may never know which will be the next flaw being discovered exposing even partially your system.
Who is root? and why is so important?
Root user is the first user you will find by default on your machine, he is the user which has the privileges of doing everything in your system and everyone (even the system owner) who is grant the access whit that role has the complete control on all the system and our first worries is to avoid to everybody, even our self if possible, to log in as root user.
This role is very critical when it comes to security and safety and we should do our best to respect it and protect it.
In the next sections you will see some techniques to close the access to it, disabling root account on Ubuntu / Debian, allowing only certain users to perform root actions using the command sudo in front of every order we require to give as “super user” to our machine.
Users and groups privileges
The first step before starting to hardening the root user is to be sure we have a user which can perform sudo actions.
To check this we can see which users we have in our sudo group by typing:
$ getent groups sudoThis will give us a list of users subscribed to that group and we have to ensure to be or to have a user in that group since is the one that will allow us to execute commands with root privileges.
If we are going on hardening the login before having a user in this group we may lose forever the chance to perform actions in our system.
If we don’t have a user else than root we can create a new user with:
$ sudo adduser <username>This will prompt us trough a list of information we have to insert, but only the password is mandatory, the other are not necessary.
And then we have to add the new user to the sudo group with:
$ sudo usermod -aG sudo <username>This will add (-a) to the group (G) sudo our user.
At this point we should swap into the user we created just now:
$ su <username>Now we should check again to be sure of being in the sudo group and procede removing the ability to login as root.
The first step to remove chances of login is to change its shell from /bin/bash (could be different) to /sbin/nologin in the file /etc/passwd.
Lets open the file:
$ nano /etc/passwdthen we have to look for the root user and at the end of the row make the change as said before. The result should be like:
root:x:0:0:root:/root:/sbin/nologinSave the file and close it.
Now who is going to try to access as root will receive the message: “This account is currently not available”. This is the default message but you can change it in the /etc/nologin.txt.
SSH
The access through the ssh protocol (secure socket shell) is the most used and diffused way to take control over another machine using a crypted connection and this mean that is always pre-installed on every system and ready to listen on the port 22 as default option and this is the reason why disabling root account on Ubuntu / Debian is very important.
The setup of the ssh service can be done editing the file /etc/ssh/sshd_config:
$ sudo nano /etc/ssh/sshd_configThe first thing we’re going to do is to get sure to have the rule:
PermitRootLogin noIf not we have to add it.
This will remove the chance of login as root but in the next guide I will explain how to secure the ssh service properly.
PAM
In our systems PAM (pluggable authentication module) is the application which handle the authentication tasks required by many of our services like “system login” and “sshd” we have on our system and give the appropriate behavior in the event that individual PAMs fail.
All the configuration files for each service using PAM is located in: /etc/pam.d/ directory. Here we will find the two files we are looking for:login and sshd.
At this point we will open both of this files with root privileges:
$ sudo nano /etc/pam.d/loginand
$ sudo nano /etc/pam.d/sshdgoing to add on each one the following lines:
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ssh/deniedusersWe can add these two lines in every file inside /etc/pam.d/ files to prevent the access from root even to other PAM aware services like ftp, imap and many others.
Now we have to create the file deniedusers which should contain only one item per line
$ sudo nano /etc/sshd/deniedusersadd inside it the name of the user root and then save it.
Is possible to create even one file for each service if its needed to have different users disabled for each service.
After we should avoid this file to be read or modified by others:
$ sudo chmod 600 /etc/sshd/denieduserTTY
To limit the access to the console from the root user we have to modify the file /etc/securetty on which are listed all the terminals root user is allowed to login.
To achieve this we are going to empty the file. In this way the system will not find matches for available terminals to be used from root.
First we rename the existing file to keep a copy of it:
$ sudo mv /etc/securetty /etc/securetty.origThen we will create a new empty file with the name of the original one:
$ sudo touch /etc/securettyAnd now we secure it from being modified from others:
$ sudo chmod 600 /etc/securettyNow we should have 2 files: the old one renamed securetty.orig with the original content and the new securetty which is an empty file.
Whats next?
I’m already working on another article about securing your system and this time will be focused on ssh probably.
Let me know if you found it useful, something is not clear and others.
Photo by chris panas on Unsplash