Results 1 to 13 of 13
  1. #1

    How to manage server after disableing root access

    After 10 years of managing my own servers, I finally disabled root access when I recently deployed another server. I really like the added sense of security with the new setup, but its a real pain when I'm working in the server through sftp. The box is just hosting websites and I have changed the ownership so I can do whatever I need to do within those folders, but when it comes to anything else ie. cron, logs and system related tasks, I run into permission errors.

    I understand the permission errors and I can live with them if I have to, but I thought I would reach out to the community to make sure I'm not missing some trick or process that would make things a little easier.

    Thanks

  2. I would recommend setting up 2 user roles.

    user1 will be used for performing system administration tasks and it will have access to limited sudo commands which can be selectively configured by you as a root user.
    user2 will just be used for SFTP,running the child web server processes.

    This way you will avoid root access in normal day to day activities.

  3. #3
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Easy. Don't do it.

    There are plenty of other methods to security. From requiring ssh keys for root to changing ports to 2FA. In today's world there's no reason to disable root ash access. Of course there are going to always be differing opinions (even mine), but in the end you need to go with what makes things more convenient and easy for you.

    If all you're using root for is sftp, then you can setup a key for your other users and use those instead.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  4. #4
    Join Date
    Mar 2003
    Location
    /root
    Posts
    23,991
    Moved > Hosting Security and Technology.

    Specially 4 U
    Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
    JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
    Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx

  5. #5
    Join Date
    Oct 2012
    Location
    Miami, FL
    Posts
    538
    You can setup a SSH key or use IPMI with KVM console on a white-listed IP space if it is a Dedicated Server. The latter would be recommended for very basic troubleshooting though.

  6. #6
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Yeah, be careful with IPMI. You really don't want to use that for root access, unless you have to. Those interfaces tend to be java based and very clunky
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  7. #7
    Join Date
    Apr 2002
    Posts
    1,789
    Disabled all root access or just direct root access?

    You're really just not going to find a way to do some things without root. There's nothing inherently insecure about root. It's just that root can do anything, so you have to be very careful with what you do as root.

    Some tools like sudo might help, but there's really just no way of getting around managing a server without root. Someone's got to have root access to the server. Minimizing who has root access to the server is a key security item. Insuring that those that have root access, know what they are doing, is another.

  8. #8
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Take a look at DUO for ssh . If you want absolutely secure systems, this is going to be the way to go about this. You can have root setup for one user to notify your phone and authorize it (I do all the time), and it's probably much less of a convenience than using something like sudo or su. At least, again, for me it is.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  9. #9
    Join Date
    Dec 2011
    Posts
    1,460
    While the case can be made that for ultra-sensitive installations, completely disabling access as 'root' makes sense.

    For a simple webserver? Uh - wow. No.

    Leave 'root' enabled. Leave the ability to SSH/SFTP/SCP as root enabled. Put your public key in root's authorized_keys file, disable password authentication, and then re-enable 'root' logins via local and ssh. There really is no reason not to at that point that isn't ultra-paranoid.

    If you really want to lock things down, firewall port 22 to only permit access to it from known IPs.
    "I've seen spam you people wouldn't believe. Routers on fire off the OCs of AGIS. I watched MXes burning in the dark near the Cyberpromo Gateway. All those moments will be lost in time, like tears in rain. TTL=0."

  10. #10
    Join Date
    Aug 2011
    Location
    India
    Posts
    288
    Disabling root is not a good way. You do not know when you are going to require it. Managing and securing a Linux machine with out root level access has too much restrictions, than it security advantages. As suggested by various members, you should retain the root account and focus more on the access restrictions.
    Fred Bruner
    Business Analyst
    SupportSages.com- Bytes of Wisdom @ Work - Where guarantees and promises are made to keep!
    24/7 Support with 15 mins response time & no charge guarantees

  11. #11
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by SneakySysadmin View Post
    If you really want to lock things down, firewall port 22 to only permit access to it from known IPs.
    Or just change the port altogether. That should be a pretty basic step in securing all ssh installs, though everyone's checklist is going to be different there.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  12. #12
    Join Date
    Dec 2011
    Posts
    1,460
    Quote Originally Posted by twhiting9275 View Post
    Or just change the port altogether. That should be a pretty basic step in securing all ssh installs, though everyone's checklist is going to be different there.
    Security by obscurity -- isn't.

    Changing the port might shield you from drive-by brute force attacks, which is enough of a benefit all by itself to justify doing it... but do not kid yourself -- you have not made your server the least bit more secure by doing so.
    "I've seen spam you people wouldn't believe. Routers on fire off the OCs of AGIS. I watched MXes burning in the dark near the Cyberpromo Gateway. All those moments will be lost in time, like tears in rain. TTL=0."

  13. #13
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    changing the port isn't "hiding" anything, it's not attempting to be obscure, it's just common sense protocol. It's one of the first things one should do.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

Similar Threads

  1. Replies: 6
    Last Post: 06-06-2011, 09:26 PM
  2. How to manage server passwords?
    By ScottJ in forum Running a Web Hosting Business
    Replies: 10
    Last Post: 02-18-2006, 05:56 AM
  3. how to give a user the root access? and how to ....
    By learnerman in forum Hosting Security and Technology
    Replies: 4
    Last Post: 02-02-2005, 03:01 AM
  4. Good books to learn how to manage a server.
    By RunOfTheMill in forum Web Hosting
    Replies: 7
    Last Post: 08-03-2001, 04:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •