Control Root Access To Secure Linux System | RHEL 7

This is the second post of How To Secure The Linux System In RHEL7, In which I had explained that how you can secure your RHEL7 machine from security threats. In this post I will explain how you can secure your RHEL7 machine by preventing the root access to unauthenticated users locally & remotely.

1) Change Root Shell: You can change the root account shell to /sbin/nologin in /etc/passwd file. This way root account will have no shell to login.

    This will effect some services to restrict access of root login such as login, gdm, xdm, kdm, su, ssh, scp, sftp. But this will not affect the root access to ftp, email, sudo

2) Disable Root For Physical Console: The  /etc/securetty file which is responsible for giving physical console access of RHEL7 machine. By-default only root is permitted to access machine via physical console mentioned in the file.You can further secure your RHEL7 machine by prevent the physical console access as root. For this you have to clear the list in this file by below command

echo > /etc/securetty

To enable securetty support in the KDM, GDM, and XDM login managers, add the following line:

auth [user_unknown=ignore success=ok ignore=ignore default=bad]

to below files.


This will affect the login, gdm, kdm, xdm & other network services that open a tty. But does not affect su, sudo, ssh, scp, sftp services.

3) Prevent Root SSH : To prevent SSH login via root account , you have to open  /etc/ssh/sshd_config file & make changes in  line  PermitRootLogin yes to  PermitRootLogin no. Remove hash (#) sign from the line.

This will affect the ssh, scp,  sftp services.

4) Using PAM: You can use PAM module file to deny the root access to any user or service. The  /lib/security/ module can be use as reference to deny list of service or users to access login.To limit root access to a system service, edit the file for the target service in the /etc/pam.d/ directory and make sure the module is required for authentication.

Below is the example how the module is used for vsftpd FTP server in the  /etc/pam.d/vsftpd PAM configuration file.

auth required /lib/security/ item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed

This instructs PAM to consult the /etc/vsftpd.ftpusers file and deny access to the service for any listed user.

5) Automatic Logout Session: If someone login as root and make system in an idle state. It may increase the risk of your system security. you can configure the system to automatically log out idle users after a fixed period of time.

-First open the /etc/profile file as root

-Add the line trap "" 1 2 3 15 at the beginning. It will make sure that the processing of this file cannot be interrupted.

-Then add the following line in the /etc/profile , to make session out after 120 seconds of idle state.

export TMOUT=120
readonly TMOUT

That's All

Sharing is Caring 😀

Post a Comment