Under normal operating parameters, there should never be a need for the ˜root account to log on to a server remotely. Any actions requiring a direct log on to the system via ˜root should be restricted to the local console.
Edit /etc/ securetty to reflect the following changes:
tty1 tty2 tty3 tty4 tty5 tty6
Save the changes and perform the following actions:
[root] # chown root:root /etc/securetty [root] # chmod 400 /etc/securetty
For those machines with poor or non-existent physical security, it is highly recommended to disable the CTRL-ALT-Delete function that allows an attacker to shutdown the machine.
Edit /etc/inittab to comment out the following line:
# ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Save the change and restart the service for it to take effect:
[root] # /sbin/init q
It is a widely held belief that presenting some sort of statutory warning message at login time will assist the prosecution of trespassers of the computer system. Changing some of the login banners also has the additional benefit of hiding OS version information and other detailed system information that an attacker might find useful when targeting his attacks. Clearly, the organization's legal counsel should review the content of all such warnings before any changes are made to the banners.
Edit /etc/motd, /etc/issue, and /etc/issue.net to reflect the appropriate warning message for your organization and save the changes. An example follows :
This system is for authorized use only. All activity may be monitored and/or logged
An explanation of what each file does is listed below:
/etc/motd “ This file displays the "message of the day" once the user has successfully logged into the system.
/etc/issue “ This file is displayed to any user that is logging into the system locally.
/etc/issue.net “ This file is displayed to those users logging in remotely via SSH, Telnet, or FTP.
Note | Earlier versions of Red Hat Linux contained commands in /etc/rc.d/rc.local that would overwrite /etc/issue and /etc/issue.net each time the system was booted . These commands are not present in the 7.3 release of Red Hat; therefore, modifying the files listed above should be sufficient in displaying the appropriate warning banner. |
Linux provides a mechanism for system maintenance via the "Single User Mode" which is typically started when the system is booting. This allows an attacker at the console to bypass any system protection and move into Run Level 1 as root. The ramifications are serious and it is necessary to password protect the single user mode to prevent this from happening.
Edit /etc/inittab to reflect the following change:
id:3:initdefault: ~~:S:wait:/sbin/sulogin
Save the changes and restart the service:
[root] # /sbin/init q