| About 80% of cases of network intrusion are inside jobs — perpetrated by local users who have some access to your system (Anonymous 29). These “trusted” users have a more intimate knowledge of your system, so it must be guarded against this friendly fire. Several measures can be taken to secure your system a bit more against both local and Internet crackers. One of the first tasks will be defining who has command line access to the server and the workstations, both physically and remotely. The first file that we will edit will be /etc/security/access.conf on the server. By adding the following line, no users but the root will be able to login on a console; i.e., by physically sitting down and logging in at the server itself: - : ALL EXCEPT root : LOCAL This line will limit local logins to the root account. If you made an account for yourself as the administrator, you can list it in the same line after root. For example, my account name is lucas, so my line reads: - : ALL EXCEPT root lucas : LOCAL The workstations work similarly, but you do not want to allow any of the student account to gain command line access, making the line slightly different: - : ALL EXCEPT root : tty1 tty2 tty3 tty4 tty5 tty6 tty8 tty9 tty10 tty11 This line will deny access to any user on any of the consoles other than tty7, the X-Windows login console. Giving users command line access is just asking for trouble: it allows them to use the many cracker tools available to attack your server and others on the Internet. Keeping command line access to a minimum strengthens both your own LAN’s security and helps others’ security as well. Next, you need to add a pluggable authentication module (PAM) to your login file, /etc/pam.d/login, that consults /etc/security/access.conf when a user attempts to login. Add this line to /etc/pam.d/login: account required /lib/security/pam_access.so This module will then consult the /etc/security/access.conf file you edited above anytime any user attempts to login to your system. It will deny any users that you set in /etc/security/access.conf. |