Help - Search - Members - Calendar
Full Version: Deny Root?
Linuxhelp > Support > Technical Support
Robert83
Hi,

now this might be a really stupid question to ask, but here it goes anyway...

As you know I've got a firewall, and I will put 3 ethernet cards in it, 1 for net, 1 for mail,ftp,www server 1 for the DMZ
,for local net.

Now the question would be...[since the hackers once inside want root access to the system]

If I install and setup the mailserver the way I want to, is there a way to deny root access to that system, I mean even I couldn't log into the computer ?

Only with a system reboot and a bootdisk would I be able to modify the settings of the server...

Is this possible ? how?

Sincerely
Robert B
Corey
Personally (without research) i cannot see how this would be possible because if you deny root access, you most likely would not even be able to get access yourself with a bootdisk. All that a bootdisk does is boot the kernel and then drops you back into your system. Even if you boot as 'linux single' , you are still required to give your root password.

The only way I could think of, would be to scramble your root password (much like how Knoppix does for it's default) . Then, if you want to install software in the future, you could boot that system with a live cd, such as Gentoo, and chroot into your environment from there and install software.

Personally, i don't see the need for such extreme measures unless you are seriously paranoid smile.gif
Robert83
Well I'm kinda scared you know, this will be my first e-mail server, probably will be "playing" with it for a few days 07:00-00:00 , so I wouldn't like if some guy came in and delete everything in / ...

Can you please tell me where might I find a howto or something for this thingie?

Sincerely
Robert B
hughesjr
Actually ... what you want to do (that WBEL and RHEL don't do natively yet) might be to use SE Linux.

I have never used this or installed it, but it does limit what access a process has ... so even if it is broken into, it restricts what can be done.

You would need to download the kernel source, compile your own kernel, and then download and compile all the utility programs to replace the ones on your system ....

I would think the best way to do SE Linux would be to use Gentoo ... HERE
hughesjr
Personally,

With the DMZ firewall properly configured at the border, iptables also on the web/mail/ftp servers locally, with security patches applied in a timely manner, and with tripwire / chkrootkit / snort ... you should be very safe.

Actually, there are so many places that don't setup their systems that way, that most people will stay away from the sites that do all these things...

If you also get the PortSentry going on the firewall, you should be extremely safe.....
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.