---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 40 The "root" account is the most privileged account on a Unix system. The "root" account has no security restrictions imposed upon it. This means the system assumes you know what you are doing, and will do exactly what you request -- no questions asked. Therefore it is easy, with a mistyped command, to wipe out crucial system files. When using this account it is important to be as careful as possible. For security reasons, never log in on your server as "root" unless is absolutely necessary for tasks that necessities "root" access. Also if your are not on your server, never sign in and let in as "root". VERY VERY VERY BAD. 6.    Set login time out for the root account Although the notice to never if their are not on the server, sign in and let in as “root”, administrators still stay as “root” or forget to logout after finishing their works and leave their terminals unattended. The answer to solve this problem is to make the bash shell automatically logout after not being used  for a period of time. To do that, you must set the special variable of Linux named “TMOUT” to the time in seconds of no input before logout. Edit your profile file “vi /etc/profile” and add the following line somewhere after the line that read “HISTFILESIZE=” on this file: TMOUT=7200 The value we enter for the variable “TMOUT=” is in second and represent 2 hours (60 * 60 = 3600 * 2 = 7200 seconds). It is important to note that if you decide to put the above line in your “/etc/profile” file then the automatic logout after two hours of inactivity will apply for all users on the system. So instead if your prefer to control which users will be automatically logout and which ones not, you can set this variable in their individual “.bashrc “ file. After this parameter has been set on your system, you must logout and login again (as root) for the change to take effect. 7.    The “/etc/exports” file If you are exporting file systems using NFS service, be sure to configure the “/etc/exports” file with the most restrictive access possible. This means not using wildcards, not allowing root write access, and mounting read-only wherever possible. Edit the exports file (vi /etc/exports) and add: As an example: /dir/to/export host1.mydomain.com(ro,root_squash) /dir/to/export host2.mydomain.com(ro,root_squash) Where “/dir/to/export” is the directory you want to export, host#.mydomain.com is the machine allowed to log in this directory, the <ro> option mean mounting read-only and the <root_squash> option for not allowing root write access in this directory. For this change to take effect you will need to run the following command on your terminal: [root@deep]# /usr/sbin/exportfs -a NOTE: Please be aware that having an NFS service available on your system can be a security risk. Personally, I don't recommend using it. 8.    Disabling console program access