Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Deny Root?
Robert83
post Mar 3 2004, 10:29 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

now this might be a really stupid question to ask, but here it goes anyway...

As you know I've got a firewall, and I will put 3 ethernet cards in it, 1 for net, 1 for mail,ftp,www server 1 for the DMZ
,for local net.

Now the question would be...[since the hackers once inside want root access to the system]

If I install and setup the mailserver the way I want to, is there a way to deny root access to that system, I mean even I couldn't log into the computer ?

Only with a system reboot and a bootdisk would I be able to modify the settings of the server...

Is this possible ? how?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Corey
post Mar 3 2004, 01:36 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 1,254
Joined: 21-September 02
From: St John's, Newfoundland, Canada
Member No.: 3



Personally (without research) i cannot see how this would be possible because if you deny root access, you most likely would not even be able to get access yourself with a bootdisk. All that a bootdisk does is boot the kernel and then drops you back into your system. Even if you boot as 'linux single' , you are still required to give your root password.

The only way I could think of, would be to scramble your root password (much like how Knoppix does for it's default) . Then, if you want to install software in the future, you could boot that system with a live cd, such as Gentoo, and chroot into your environment from there and install software.

Personally, i don't see the need for such extreme measures unless you are seriously paranoid smile.gif


--------------------
Corey Quilliam
(former) Linuxhelp.ca Administrator
cquilliam-AT-gmail-dot-com

Want to help out Linuxhelp.net? Check out our Linuxhelp Wiki and see if there are some articles you would like to submit!!

--
Ubuntu 8.04 64-bit - Work Laptop (HP-Compaq NC6400 Core2)
Kubuntu 8.04 64-bit - Desktop (HP m8120n QuadCore)
Ubuntu 6.04 - Server (I'm not upgrading this baby until support runs out in 2012) (Some old POS dell)
Go to the top of the page
 
+Quote Post
Robert83
post Mar 3 2004, 01:40 PM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Well I'm kinda scared you know, this will be my first e-mail server, probably will be "playing" with it for a few days 07:00-00:00 , so I wouldn't like if some guy came in and delete everything in / ...

Can you please tell me where might I find a howto or something for this thingie?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 3 2004, 02:28 PM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Actually ... what you want to do (that WBEL and RHEL don't do natively yet) might be to use SE Linux.

I have never used this or installed it, but it does limit what access a process has ... so even if it is broken into, it restricts what can be done.

You would need to download the kernel source, compile your own kernel, and then download and compile all the utility programs to replace the ones on your system ....

I would think the best way to do SE Linux would be to use Gentoo ... HERE


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 3 2004, 03:40 PM
Post #5


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Personally,

With the DMZ firewall properly configured at the border, iptables also on the web/mail/ftp servers locally, with security patches applied in a timely manner, and with tripwire / chkrootkit / snort ... you should be very safe.

Actually, there are so many places that don't setup their systems that way, that most people will stay away from the sites that do all these things...

If you also get the PortSentry going on the firewall, you should be extremely safe.....


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 18th December 2017 - 09:54 AM