Results 1 to 13 of 13
-
05-03-2016, 08:10 AM #1Newbie
- Join Date
- Jul 2009
- Posts
- 8
How to manage server after disableing root access
After 10 years of managing my own servers, I finally disabled root access when I recently deployed another server. I really like the added sense of security with the new setup, but its a real pain when I'm working in the server through sftp. The box is just hosting websites and I have changed the ownership so I can do whatever I need to do within those folders, but when it comes to anything else ie. cron, logs and system related tasks, I run into permission errors.
I understand the permission errors and I can live with them if I have to, but I thought I would reach out to the community to make sure I'm not missing some trick or process that would make things a little easier.
Thanks
-
05-03-2016, 08:27 AM #2Newbie
- Join Date
- Jan 2015
- Posts
- 24
I would recommend setting up 2 user roles.
user1 will be used for performing system administration tasks and it will have access to limited sudo commands which can be selectively configured by you as a root user.
user2 will just be used for SFTP,running the child web server processes.
This way you will avoid root access in normal day to day activities.
-
05-03-2016, 08:47 AM #3
Easy. Don't do it.
There are plenty of other methods to security. From requiring ssh keys for root to changing ports to 2FA. In today's world there's no reason to disable root ash access. Of course there are going to always be differing opinions (even mine), but in the end you need to go with what makes things more convenient and easy for you.
If all you're using root for is sftp, then you can setup a key for your other users and use those instead.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
05-03-2016, 09:26 AM #4The Linux Specialist
- Join Date
- Mar 2003
- Location
- /root
- Posts
- 23,991
Moved > Hosting Security and Technology.
Specially 4 U
Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx
-
05-03-2016, 10:40 AM #5Disabled
- Join Date
- Oct 2012
- Location
- Miami, FL
- Posts
- 538
You can setup a SSH key or use IPMI with KVM console on a white-listed IP space if it is a Dedicated Server. The latter would be recommended for very basic troubleshooting though.
-
05-03-2016, 12:39 PM #6
Yeah, be careful with IPMI. You really don't want to use that for root access, unless you have to. Those interfaces tend to be java based and very clunky
Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
05-03-2016, 01:09 PM #7Web Hosting Master
- Join Date
- Apr 2002
- Posts
- 1,789
Disabled all root access or just direct root access?
You're really just not going to find a way to do some things without root. There's nothing inherently insecure about root. It's just that root can do anything, so you have to be very careful with what you do as root.
Some tools like sudo might help, but there's really just no way of getting around managing a server without root. Someone's got to have root access to the server. Minimizing who has root access to the server is a key security item. Insuring that those that have root access, know what they are doing, is another.
-
05-03-2016, 01:23 PM #8
Take a look at DUO for ssh . If you want absolutely secure systems, this is going to be the way to go about this. You can have root setup for one user to notify your phone and authorize it (I do all the time), and it's probably much less of a convenience than using something like sudo or su. At least, again, for me it is.
Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
05-03-2016, 04:59 PM #9Web Hosting Master
- Join Date
- Dec 2011
- Posts
- 1,460
While the case can be made that for ultra-sensitive installations, completely disabling access as 'root' makes sense.
For a simple webserver? Uh - wow. No.
Leave 'root' enabled. Leave the ability to SSH/SFTP/SCP as root enabled. Put your public key in root's authorized_keys file, disable password authentication, and then re-enable 'root' logins via local and ssh. There really is no reason not to at that point that isn't ultra-paranoid.
If you really want to lock things down, firewall port 22 to only permit access to it from known IPs."I've seen spam you people wouldn't believe. Routers on fire off the OCs of AGIS. I watched MXes burning in the dark near the Cyberpromo Gateway. All those moments will be lost in time, like tears in rain. TTL=0."
-
05-04-2016, 04:23 AM #10Web Hosting Guru
- Join Date
- Aug 2011
- Location
- India
- Posts
- 288
Disabling root is not a good way. You do not know when you are going to require it. Managing and securing a Linux machine with out root level access has too much restrictions, than it security advantages. As suggested by various members, you should retain the root account and focus more on the access restrictions.
Fred Bruner
Business Analyst
SupportSages.com- Bytes of Wisdom @ Work - Where guarantees and promises are made to keep!
24/7 Support with 15 mins response time & no charge guarantees
-
05-04-2016, 06:10 AM #11Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
05-04-2016, 04:13 PM #12Web Hosting Master
- Join Date
- Dec 2011
- Posts
- 1,460
"I've seen spam you people wouldn't believe. Routers on fire off the OCs of AGIS. I watched MXes burning in the dark near the Cyberpromo Gateway. All those moments will be lost in time, like tears in rain. TTL=0."
-
05-05-2016, 12:32 AM #13
changing the port isn't "hiding" anything, it's not attempting to be obscure, it's just common sense protocol. It's one of the first things one should do.
Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
Similar Threads
-
How did my developer get access to my server after I deleted his FTP user account?
By Eldan88 in forum Dedicated ServerReplies: 6Last Post: 06-06-2011, 09:26 PM -
How to manage server passwords?
By ScottJ in forum Running a Web Hosting BusinessReplies: 10Last Post: 02-18-2006, 05:56 AM -
how to give a user the root access? and how to ....
By learnerman in forum Hosting Security and TechnologyReplies: 4Last Post: 02-02-2005, 03:01 AM -
Good books to learn how to manage a server.
By RunOfTheMill in forum Web HostingReplies: 7Last Post: 08-03-2001, 04:18 PM