Monday, April 26, 2010

Control remote access with pam_access

You need enabled pam_access module first. Uncomment the following line in /etc/pam.d/login and /etc/pam.d/sshd files:
account  required       pam_access.so

Secure Administrative Logins

Modify /etc/security/access.conf to disallow remote logins to administrative accounts, disallow local logins to non-administrative account. The order of entries is important:
#
# Disallow non-root logins on tty1
#
- : ALL EXCEPT root : tty1
#
# Allow root login on tty1
+ : root : tty1
#
# Disallow console logins
- : ALL : LOCAL
#
# ...
#
# User "root" should be denied to get access from all 
# other sources
- : root : ALL

Secure Network Logins

Setup a group to control users who can access the system remotely (via ssh).
groupadd -r sshusers
Modify /etc/security/access.conf in order to allow only sshusers group network access.
# Allow group 'sshusers' get access from everythere
+ : (sshusers) : ALL
#
# All other users should be denied to get access from 
# all sources.
- : ALL : ALL
Add users to group sshusers:
usermod -a -G sshusers user1
The changes take place immediately, you do not have to reboot.

No comments :

Post a Comment