How to block Root access and use sudo permissions

In my servers Policy I usually block the Root user access via ssh,
and I create an admin user how I give a sudo permissions to manage the server.
for disable Root login edit sshd_config file:
# vi /etc/ssh/sshd_config

search the line #PermitRootLogin yes , remove the # from it and change it to 'no'.
do the same to this line: #StrictModes yes
the section in the sshd_config file should look like this:
#LoginGraceTime 2m
PermitRootLogin no
StrictModes no
#MaxAuthTries 6

now restart the ssh service:
# /etc/init.d/sshd restart

OK, now you block the root access, the next step is to create admin user and give him sudo permissions to the commends you like.
How it work?
#useradd admin
#passwd admin
(Enter any password you want to admin user)


#/usr/sbin/visudo
now you need to edit this file to your needs
first create User alias specification
User_Alias ADMIN = admin
then create Command alias specification
Cmnd_Alias CADMIN = /bin/rm, /sbin/service, /bin/chown, /bin/tar, /bin/cp
you can add here any command you want the user admin will have.
and at last you need to create User privilege specification
ADMIN   ALL=NOPASSWD: CADMIN
in the end the file should look something like this:

# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.

# User alias specification
User_Alias ADMIN = admin

# Cmnd alias specification
Cmnd_Alias CADMIN = /bin/rm, /sbin/service, /bin/chown, /bin/tar, /bin/cp

# User privilege specification
root    ALL=(ALL) ALL
ADMIN   ALL=NOPASSWD: CADMIN

That's it.

No comments:

Post a Comment