Quickly secure CentOS 5 by enabling sudo, disabling root, and limiting access

September 30, 2008 by Eddie

CentOS differs from many other distros by enabling root account during setup. I prefer the Ubuntu’s (and OS X’s) way of using a separate admin account and having root account disabled. When there is a need to perform administrative task, just run the command with sudo and easily prevent the risk of abusing root privileges and doing stupid things. Following this guide, I was able to make this work on CentOS.

First, log in as root account. You can switch to root account from any account by running su and typing the root password.
Enabling sudo. If you are not comfortable with vim, run
```
export EDITOR=gedit
```
first. Now run
```
/usr/sbin/visudo
```
The lines starting with # are comment lines and will be ignored. Just uncomment the following line:
```
# %wheel  ALL=(ALL)       ALL
```
by removing the # at the beginning. This line means that anybody in the group wheel can use sudo to run anything from anywhere.
Add an account to group wheel. For example, if the account you use to perform administrative task is isteering, run
```
gpasswd -a isteering wheel
```
Now you can sudo from user isteering
Disable root account. This is done by running passwd to lock the account:
```
passwd -l root
```

It is quite obvious after we perform the above steps, we have just created a second root account: the user isteering is exactly the same as root user, just having a different name. So we have not added much protection, if the attacker can guess the name of this new account. So you might want to consider limiting where the user can log in from. Use your favorite editor to edit file /etc/security/access.conf. Add the following lines for the admin group:

-:wheel:ALL EXCEPT LOCAL 192.168.1. 72.14.207.99

This will deny user in group wheel to log in from anywhere but 192.168.1. subnetwork (note the suffix dot) or host 72.14.207.99. You still need to add this line

auth       required     pam_access.so

to /etc/pam.d/sshd to tell SSH server to consult the access control, otherwise SSH server by default will ignore this access control mechanism built in PAM.
References:

More advanced information on PAM
A python module to access PAM

Like this:

Be the first to like this post.

Posted in linux | Tagged centos, security | 12 Comments

12 Responses

on October 30, 2008 at 9:35 am | Reply sanjiyan

This suggestion may work well for a server setup, but it has the unfortunate side effect of locking the user out from a desktop setup of CentOS when attemping admin functions through GNOME.

My suggestion instead of locking the root password is to disable root logins through ssh by adding the following line to /etc/ssh/sshd_config

PermitRootLogin no

This still permits the root user to login at the workstation. If physical access is an issue, locking the account via passwd lockout is probably a better choice.
on May 25, 2009 at 8:26 am | Reply Dmitriy T.

Also, the CSF firewall could be installed to secure the server.

I taked this tip from the article:

Complete CentOS secure server setup
http://www.sysadmin.md/complete-centos-secure-server-setup.html
on June 30, 2009 at 2:35 am | Reply Rob Searles

Thanks for this post, and Sanjiyan for your comment. Helped me when setting up my CentOS server. I’m running cPanel so had a couple of quirks, but got there in the end. Wrote a post describing what I did: http://www.robsearles.co.uk/2009/06/30/securing-centoscpanel-with-sudo/

Thanks once again.
Rob
on April 11, 2010 at 6:56 am | Reply nuhadek

sir, now i get a problem to enable root passwd; i’ve tried to $ passwd -u root after making it disable from $ passwd -l root, could you pls help?
- on April 12, 2010 at 10:30 am | Reply Eddie
  
  @nuhadek “passwd -u root” worked for me well. Just make sure you run this command with root privileges. In other words, do “sudo passwd -u root” if necessary. This will re-enable log in of root with the old password. You could also simply do “sudo passwd root” to set a new password for the account and enable it.
on April 13, 2010 at 5:14 am | Reply nuhadek

sir,i write those commands to the terminal, but still cant access my root passwd, pls help thanks
- on April 14, 2010 at 10:34 pm | Reply Eddie
  
  Could you post your shell session here?
on June 20, 2011 at 7:50 am | Reply sukrantukrant

sorry sir it’s not working.

might i am doig something wrong.
i am using RHEL5 , Doing same what u mentioned here
on February 6, 2012 at 5:29 am | Reply Patrick

I disabled my root password using passwd -l root, how can i enable it again
- on February 6, 2012 at 10:49 am | Reply Eddie
  
  Just use `sudo passwd root` to set a password for root again,
on February 6, 2012 at 6:49 am | Reply uzo123ng

enabling password on centos
on April 21, 2012 at 6:54 am | Reply johanneseva

Hello! I also wrote a small tutorial on sudo and CentOS/RHEL. It also has a small introduction to vi:
http://www.libre-software.net/sudo-on-centos-scientific-linux-and-rhel