Disable SSH root login in RAC system

Hi Alll,
We have a oracle 11.2.7 RAC in Linux. As statement, SA will disable ssh root log and Nagios will monitor each nodes in RAC system.
As I know, Nagios only apply DH key for SSH. But Oracle RAC apply two type of SSH key for ssh_equivelancy in Oracle CRS.
Dees any experts have experience for oracle RAC and database when disable root SSH log in Linux system?
Thanks very much!
JIn

Security is not based on the number of keys one needs - but on the quality of the locks.Partially agree. But just like in real world one lock is not enough even superb. Why cars have imobilisers, defendlocks etc.? Why there is fence in front of some shop's door? It's very common to have two locks on front door. It's much harder (at least it takes much time) to break two locks than break just one. And the time matters. Back to IT security. Disabled root account is one of best practices and is reasonable because you can't 100% assure that your administrator is using strong password everytime. He might just forgot to change password after installation. He might set weak password just for "temporary" reason. You can of course force the password complexity but of course one you have the system installed.
So can passwords. Deep packet inspection can occur unknowingly. Perhaps we still talking about SSH, don't we?
The user may be targeted using social engineering, instead of targeting the actual computer system.It's much harder to get two passwords than just one even by using social engineering.
The question is whether such a server is exposed to an unsecured or public network. And one would manage the risks differently on such a server than one for example in a private network, protected by a reverse proxy in the DMZ, that in turn provides access from a public network.OK, so we've got another locks here ;-)
So if that user is compromised, so can root as that user can gain root access. I do not see this as better security. It is merely obfuscating security.Which user acccount? Do you know name of that account? Because I know the name of your's. ;-) So you need to find correct account name, get password for that account and also get the password for root account whilst I need to get password for root account only.
Yes, partially agree with "obfuscation security" term. But in fact this is not for first time when obfuscation is used in security and neither for last time.
But you can't consider "PermitRootLogin no" and "wheel" group as an obfuscation.
Using encryption keys (public & private) is one answer to having to share and keep secrets. No, this is also not 100% safe, but I prefer it over having to know, remember and on occasion, share secrets (passwords).How well is your local machine secured? Are you using strong password? Do have all accounts strong password on your local machine? Is your local machine up to date for known sec. bugs (I don't mean zero days)? Is your local machine in separated VLAN or anybody from LAN can access your machine? Because if there are at least two "No" answers then how much time it will take for some skilled part-time worker (in your company) to break into your computer, steal the keys or even worse use your local machine to access the server?
Don't get me wrong. I am not against encryption keys. Of course I am using it but in combination with other security restrictions which come from "best practices". And to disable direct root access is one of those practices. Even NSA (and other security institutions) suggest to do that (see page #37): www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf Also security auditors check for disabled direct access to privileged accounts.
I understand this as good enough proof that disabling of direct access to privileged accounts rises security.
Another good reason is right here:
Install
In other words, if any user has possibility to login as root, he uses "root" as default account which is another well known bad practice.

Similar Messages

  • Not able to change normal login password through ssh root login remotely

    I am able to login to serverb from servera as root user without password
    as i have set the ssh key authentication between the two servers
    ==============================================================
    bash-3.00# hostname
    servera
    bash-3.00# ssh serverb
    Sun Microsystems Inc. SunOS 5.9 Generic May 2002
    You have new mail.
    root@serverb # hostname
    serverb
    root@serverb #
    ==============================================================
    i am also able to execute remote commands from servera to serverb
    through ssh as root :
    ==============================================================
    bash-3.00# ssh serverb "hostname ; date ; uptime;id -a "
    serverb
    Friday December 11 16:52:10 GMT 2009
    4:52pm up 258 day(s), 2:24, 1 user, load average: 0.12, 0.07, 0.06
    uid=0(root) gid=1(other) groups=1(other),0(root),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon),1001(srsncadm
    bash-3.00#
    ==============================================================
    But when i try to change a normal users login password it give me the following
    error even as root user, can someone please let me know why it preventing
    from a normal login password change though ssh even for a superuser account
    =============================================================
    bash-3.00# ssh serverb passwd testuser
    Permission denied
    bash-3.00#

    You cannot "ssh passwd username" remotely, for one thing. Remember, the passwd command is going to ask for input from the terminal.
    Also, look into the pfexec man page because you might need to change roles in order to change the password on the remote system.

  • A security question pertaining to disabling the root login. [SOLVED]

    I've recently been configuring sudo and came across the following piece of advice:
    https://wiki.archlinux.org/index.php/Su … root_login
    After making my normal user a full fledged sudoer I followed the advice in the link above.
    passwd -l root
    worked beautifully without problems in spite of the warnings.
    However on a hunch after going
    ls -l /etc/passwd
    I was dismayed to see that the permission of the file was 644 with owner root. Shouldn't the permission be 640? Otherwise why would a cracker try to guess who is a sudoer when you can look at /etc/passwd and see myname in the entries and go like "OK root's disabled this is the only other human user lemme see if I can crack this..."
    Like I would have changed the permission on etc/passwd to 640 but since I'm far from an expert I want to know if this is safe to do/are there any unintended consequences for doing so. Furthermore even if I can do that the cracker will then proceed to search for all users who are members of the wheel group. I don't know what command would do this but clearly there must be a way the OS keeps track of which group has which members. Even if it's possible to safely change the permission of etc/group to 640 or 600 I don't think it's a good idea cause the cracker will still attempt to find all members of the wheel group because wheel is universal to Linux.
    My next worry is /etc/shadow. The good news is the permission there is 600. However there may be other files which can give away my username to the cracker besides /etc/passwd and /etc/group. If so what are they. Can they be safetyed?
    All in all was disabling root a good idea. I still want my normal user to have sudo powers for convenience. But even so if I am right about /etc/passwd then following the advice there simply makes the job one step longer for el cracker muy malo. Can you guys clue me in as to whether or not /etc/passwd can be safetyed without consequence and what is going on with this whole thing.
    Last edited by hiushoz (2011-01-10 05:08:03)

    I don't think you'll be able to change the permissions without error.  If I'm not very much mistaken, several user-space programs (like xterms) read that to determine what your preferred shell is.
    But if I understand the permissions system correctly doesn't the third number dictate access for people that aren't the owner or part of the owners group?
    Yes, that's correct.  However, there's no mechanism for them to view the files. Users can't execute processes (including the shell and its commands) unless they've either logged into your computer or found an exploit somewhere. In the event that they've found the exploit, they're most likely already running in either kernel mode or as root, so your security has already been compromised.
    You're probably confused because of the oft-used terminology 'world readable'. In reality, that means any local user.
    Why would you allow a cracker to login in the first place?
    I think this about sums it up, though I would like to elaborate on what's really being said here. There are several ways to give a cracker access to your computer; the most obvious being granting them a user account and letting them sit at your keyboard.  When you run a script or binary written by someone else, it's very close to the same thing. The program you're running can do everything you can.
    Just as you wouldn't let someone you don't trust sit at your keyboard, you should only run scripts and binaries from users you trust, at least until you've gathered enough skill to scrutinize their contents. By installing the Arch distribution, it seems you already trust Arch and its repositories, so I wouldn't worry so much about those binaries.
    Otherwise why would a cracker try to guess who is a sudoer when you can look at /etc/passwd and see myname in the entries and go like "OK root's disabled this is the only other human user lemme see if I can crack this..."
    This is silly, for a number of reasons:
    1) As above, the user would need to already be logged in as a local user.
    2) There are dozens of other places where you can find lists of local users. Even if you were to change the permissions there, a cracker could easily find a list of probable human users by:
        -Listing the contents of /home/.
        -Reading the file /etc/group; this if anything is even more dangerous, as it hints at which users have administrative rights.
    3) You're trying for security through obscurity. Instead of hiding the usernames, you should attempt to remove any vulnerabilities that would make knowing a username useful.
    Perhaps you'd be better off preventing a brute force attack by monitoring /var/log/auth.log, perhaps with something like Fail2Ban?
    Last edited by ktemkin (2011-01-10 02:23:38)

  • Disable oracle direct login

    Hi ,
    I know how to disable direct root login. but i have to disable direct root login for oracle.i am using Red Hat Enterprise Linux Server release 5.5 (Tikanga).
    Can some one help me ...
    Regards,
    Ani

    You might want to keep in mind though that "su" will break X11 xauth authentication (ssh -X). Having to login as another user is another password layer, but does not necessarily give you more control who gets access. It depends on your password policies and the users maintaining them. It might be a good idea to be careful who receives the Oracle password. Not every access to Oracle requires the Oracle account password or SYSDBA access.

  • Solaris 11 AutoInstaller service profile for ssh to enable root logins?

    Hi Guys,
    I have got a basic system configuration profile that sets various things for my newly installed solaris 11 client.
    I was curious if anyone has a xml service configuration declaration I could use that configures the ssh service to allow remote root logins.
    I'd appreciate it.

    SSH configuration is not held in SMF but in /etc/ssh/sshd_config so it is not currently possible to use just an AI/SC manifest & profile to do what you ask.
    You need do deliver an updated /etc/ssh/sshd_config file with "PermitRootLogin yes", you will also need to have your SC profile setup so that the root account is not configured as a role. Y
    ou can deliver the /etc/ssh/sshd_config file either in an IPS package or you could do it with a custom [first boot script|http://docs.oracle.com/cd/E26502_01/html/E28980/firstboot-1.html#scrolltoc] or use a software_type of archive in your AI manifest to deliver it via cpio/tar.

  • Root login is blocked from telnet ssh pam_unix_session: Can't write lastlog: uid 0: I/O error

    Root login is blocked from telnet ,ssh  error : pam_unix_session: Can't write lastlog: uid 0: I/O error
    sshd[1969]: pam_unix_session: Can't write lastlog: uid 0: I/O error
    sshd[1970]: pam_unix_session: Can't write lastlog: uid 0: I/O error
    sshd[1983]: pam_unix_session: Can't write lastlog: uid 0: I/O error
    sshd[1984]: pam_unix_session: Can't write lastlog: uid 0: I/O error
    sshd[2023]: pam_unix_session: Can't write lastlog: uid 0: I/O error
    sshd[2021]: pam_unix_session: Can't write lastlog: uid 0: I/O error
    genunix: vn_rdwr failed with error 0x6
    genunix: kobj_load_module: smp read header failed
    genunix: vn_rdwr failed with error 0x6
    genunix: kobj_load_module: ses read header failed
    sshd[2037]: pam_unix_session: Can't write lastlog: uid 0: I/O error
    sshd[2035]: pam_unix_session: Can't write lastlog: uid 0: I/O error
    please suggest for the issue , occurs frequently in solaris 10

    please verify your underlying hardware

  • Passwod for Root login in Terminal:

    It seems I had set up the login password for the Administrator that shows when you start/restart the system different from the root login of the terminal. Is that possible?
    I lost my root password, and clueless. My login to the computer using Administrator' name is working fine. But when I enter su at terminal, it asks for the password, and the password seems different from the login password of the administrator. How to reset the root login password?
    Please help.

    By default, root login is disabled, so no password you enter is going to work.
    You can use /Applications/Utilities/NetInfo Manager to enable or disable the root account.
    Alternatively, if you really need a root shell, use sudo -s (assuming your account is in the admin group and can use sudo). This is actually the preferred method of obtaining a root shell.

  • I can't disable the root user

    The OS X says:
    "You should disable the root user if you have no further need of it. A root user can modify and delete any file in the system including system files not available to other users. Having an enabled root user on your system eliminates an important layer of security for your system."
    In order to disable the root user (System Administrator), the OS X says:
    Open Directory Utility, located in the Utilities folder in the Applications folder.
    Open Directory Utility
    Click the lock to make changes, and then enter an administrator name and password.
    Choose Edit > Disable Root User.
    The problem is that the option Disable Root User is not displayed. There is only: Enable Root User
    Is there any other way for removing the System Administrator from the users log in options, when the computer starts?

    Hello Kappy.
    There is something weird about this issue.
    When I bought the machine, the vendor opened it and initiated the system for the first time at the store.
    He typed some random stuff and told me I could change it at home.
    Later, when I tried to open Safary, a keychain asking for a password always appeared, but It wouldn't block the access. It was just annoying. I didn't know any password, so I followed the manual to change the original password.
    I don't remember exactly what happened, but after initiating the system with the start up disk 1, and setting a password for the "My Account" user, that password still didn't work for unlocking the keychain.
    Then I started again with disk 1 and selected the other option: System Administrator (root), setting a password for it.
    After that I could operate the access to keychain.
    In System Preferences > Accounts display, the only available user is the original one that the vendor typed at the store, and under its name, referring to it, there is: "Admin"
    So it seems that there is two Administrators, but the root one is the most powerful, and it always appears in the login options under the name "Other..."
    I'm puzzled

  • Enable ftp root login on S11

    Hi ,
    I am testing ftp on a quite recent version of S11: S11u11 update1
    #Last login: Thu Mar 1 15:22:29 2012 from qlogic-47fezfvt
    Oracle Corporation SunOS 5.11 11.1 January 2012
    I am wondering why the ftp root login remains disabled, even after I removed "root" from /etc/ftpd/ftpusers and reboot?
    Mar 1 15:48:43 galilei proftpd[2294]: galilei (::ffff:172.27.1.112[::ffff:172.27.1.112]) - SECURITY VIOLATION: root login attempted.
    Any idea how to allow ftp root login?
    Tom

    Hi Tom,
    I haven't checked the docs for all the steps to enable ftp,
    but I see this output on my s11 system:
    # svcs -a | grep ftp
    disabled Feb_17 svc:/network/ftp:default
    disabled Feb_17 svc:/network/tftp/udp6:default
    Have you enabled the service?
    Thanks,
    Cindy

  • Disabling SSH sharing

    Hi everyone!
    I had downloaded an application called ToMacs, which basically allows me to exchange files over the internet in a secure shell (SSH) . But now that I have moved some files over, is SSH sharing is left eternally enabled by the app. The problem is that the application doesn't have an option to disable this feature, and now i feel like I'm stuck with an open backdoor or something and it really bothers me.
    So my question is how can I disable SSH sharing? There must be, but so far my searches have been fruitless.
    Please can someone help, I would greatly appreciate it!!...

    See if there is anything relevent in...
    /private/var/run/StartupItems
    /Library/StartupItems
    /System/Library/StartupItems
    Aso look in in Your Accounts Pref Pane Login Items window.

  • Problem of Copying the Original VM to 2nd VM in Oracle 11gR2 RAC system

    Folks,
    Hello. I have been installing Oracle Database 11gR2 RAC system using 2 nodes that are 2 Virtual Machines (rac1 and rac2) on the top of VMPLayer 3.
    I follow the tutorial http://appsdbaworkshop.blogspot.com/2011/10/11gr2-rac-on-linux-56-using-vmware.html to do.
    The original Virtual Machine rac1 has run correctly. I configure rac1 network (eth0 and eth1) by opening VM rac1 and using command "[root@rac1\] #neat" as root user to invoke the network configuration.
    For the second Virtual Machine rac2, I simply copy all files in "C:\VM\rac1" into "C:\VM\rac2". Then I have done the following:
    1) In the directory "C:\VM\rac2", rename "rac1.vmx" to "rac2.vmx".
    2) Change display name from "rac1" to "rac2" in the file "rac2.vmx".
    The next thing to do for rac2 is to open the Virtual Machine rac2 and configure its network (eth0 and eth1) by using the command "[root@rac2\]#neat" as root user.
    But by this step, I don't understand how to open the Virtual Machine rac2 so that can configure its network (eth0 and eth1).
    Can any folk tell me how to open the VM rac2 to configure its network by this step ?
    Thanks.

    Folks,
    Hello. Thanks a lot for replying.
    The public IP for eth0 and private IP for eth1 in the file "/etc/hosts" are as follows:
    rac1 eth0 192.168.138.35 eth1 192.168.137.35
    rac2 eth0 192.168.138.36 eth1 192.168.137.36
    In rac1, I have added 2 entries in /etc/hosts as following:
    #VIP for eth0
    192.168.138.130 rac1-vip.localdomain rac1-genetic-vip
    192.168.138.131 rac2-vip.localdomain rac2-cellar-vip
    Then I execute the command: [root@rac1 /]# ping rac2
    Output:
    PING rac2.localdomain (192.168.138.36) 56(84) bytes of data
    From rac1.localdomain (192.168.138.35) icmp_seq=1
    Destination Host Unreachable
    In rac2, I try to add the above 2 entries in /etc/hosts. But cannot save it. The following error message comes up:
    "E45: readonly option is set (add ! to override)".
    My questions are:
    First, do I need to add VIP in the file "/etc/hosts" for both rac1 and rac2 ?
    Second, why rac1 still cannot reach rac2 after add VIP in /etc/hosts for rac1 ?
    Third, why the file "/etc/hosts" in rac2 is read-only ? How to change it to be editable ?
    Thanks.

  • How to open the second VM in Oracle 11gR2 2-nodes RAC system ?

    Folks,
    Hello. I have been installing Oracle Database 11gR2 RAC system using 2 nodes that are 2 Virtual Machines (rac1 and rac2) on the top of VMPLayer 3.
    I follow the tutorial http://appsdbaworkshop.blogspot.com/2011/10/11gr2-rac-on-linux-56-using-vmware.html to do.
    The original Virtual Machine rac1 has run correctly. I configure rac1 network (eth0 and eth1) by opening VM rac1 and using command "[root@rac1\] #neat" as root user to invoke the network configuration.
    For the second Virtual Machine rac2, I simply copy all files in "C:\VM\rac1" into "C:\VM\rac2". Then I have done the following:
    1) In the directory "C:\VM\rac2", rename "rac1.vmx" to "rac2.vmx".
    2) Change display name from "rac1" to "rac2" in the file "rac2.vmx".
    The next thing to do for rac2 is to open the Virtual Machine rac2 and configure its network (eth0 and eth1) by using the command "[root@rac2\]#neat" as root user.
    But by this step, I don't understand how to open the Virtual Machine rac2 so that can configure its network (eth0 and eth1).
    Can any folk tell me how to open the VM rac2 to configure its network by this step ?

    Hi,
    But by this step, I don't understand how to open the Virtual Machine rac2 so that can configure its network (eth0 and eth1)."rac2" is a new virtual machine after you copied and changed the display name and you need to add this in the vmware enventory (I am talking about vmware server and vmware player should have the same way as it is supposed to run multiple vritual machines on your PC). Then it will be visible it to you. Now start this new machine and edit the network configuration.
    Salman

  • Oracle 11gR2 RAC system Network Connection Problem among VMs

    Folks,
    Hello.
    I am installing Oracle Database 11gR2 RAC system using 2 Virtual Machines (rac1 and rac2) on the top of VMPlayer 3.
    I configure Network for rac1 and rac2 as following:
    rac1 eth0 192.168.138.35 eth1 192.168.137.35
    rac2 eth0 192.168.138.36 eth1 192.168.137.36
    [root@rac2 \]# ping rac1
    output: 64 bytes from rac1.localdomain (127.0.0.1) ... ...
    [root@rac1 \]# ping rac2
    Error: Ping rac2.localdomain... ... Destination Host Unreachable.
    My questions are:
    First, Why rac1 cannot reach rac2 while rac2 can reach rac1 ?
    Second, How to have rac1 reach rac2 ?

    Folks,
    Hello. Thanks a lot for replying.
    The public IP for eth0 and private IP for eth1 in the file "/etc/hosts" are as follows:
    rac1 eth0 192.168.138.35 eth1 192.168.137.35
    rac2 eth0 192.168.138.36 eth1 192.168.137.36
    In rac1, I have added 2 entries in /etc/hosts as following:
    #VIP for eth0
    192.168.138.130 rac1-vip.localdomain rac1-genetic-vip
    192.168.138.131 rac2-vip.localdomain rac2-cellar-vip
    Then I execute the command: [root@rac1 /]# ping rac2
    Output:
    PING rac2.localdomain (192.168.138.36) 56(84) bytes of data
    From rac1.localdomain (192.168.138.35) icmp_seq=1
    Destination Host Unreachable
    In rac2, I try to add the above 2 entries in /etc/hosts. But cannot save it. The following error message comes up:
    "E45: readonly option is set (add ! to override)".
    My questions are:
    First, do I need to add VIP in the file "/etc/hosts" for both rac1 and rac2 ?
    Second, why rac1 still cannot reach rac2 after add VIP in /etc/hosts for rac1 ?
    Third, why the file "/etc/hosts" in rac2 is read-only ? How to change it to be editable ?
    Thanks.

  • How do I disable the GUEST login option at start up screen

    how do I disable the GUEST login option at start up screen.
    I have already gone to
    System Pref'>Users and Groups>Unlocked it with password>Guest User is OFF>Allow guests to log into this computer is NOT CHECKED,
    however I still have that GUEST USER selection on the login screen.

    Hello Leopardus,
    having read other post concerning this issue
    Re: Removing Guest User icon from login page
    dated all the way back to 2012, I have decide to leave well enough along and not let the GUEST button bother me.
    I rarely if ever take my Mac out of the house so I have not given much thought to theft or loss, but, in the event of it leaving my house by another way, the slim possibility of recovering it is worth the annoyance, I'll get over it.
    Thank you all.

  • How can we disable user to login Hyperion Workspace

    We understand we can set to admin mode for Hyperion Planning so that only administrator can login the system. Any other ways to disable users to login Hyperion Workspace? We are using Hyperion version 11.1.1.1
    Thanks a lot!

    JohnGoodwin wrote:
    Hi,
    Just to confirm you want to stop users creating Financial reports using the Reporting Studio? If so then you would remove the role of "Report Designer" in there provisioning.
    Cheers
    John
    http://john-goodwin.blogspot.com/
    Thanks John. We just want to disable user using FR report prepared in Reporting Studio and put under "Explore" of Workspace. We found that we can't do that once the user is login into Workspace. The only way we can do is to setup the security setting of each FR report based on the group setting.

Maybe you are looking for

  • Connection to server via smb not working

    hi, i have an old G4 iBook 10.3.9 that i'm using for school. to connect to our school server for course material, we were given smb log-in instructions from our it dept. when i put in the ip address, i get a prompt for the id and password, but i cann

  • Just upgraded to new iTunes, downloaded shows, will not play.

    I just upgraded to the newest itunes last night, and today I downloaded three episodes of Lost. They will not play. It says time is elapsing, but there is no sound or video, just a gray screen. Does anyone have any idea why?

  • Jpcap does not work in threads

    Hello there! The problem is next: I'm using jpcap lib for packet sniffer. As ordinary user has more than one device, I'm trying to use it as threads. But it doesn't work at all :( Single process runs well, but this stops at the very beginning with no

  • Runing a database outside of an IDE

    Hello, I am wondering if anyone could help me; I am creating a java database application in netbeans 6.1 (with JDK 6). I can get the application along with the database to compile and run fine as long as I have started a connection to the database se

  • How is ist possible to maintain the time dependencies for Abap Privileges?

    How is ist possible to maintain the time dependencies for Abap Privileges? In our Installation of SAP IDM 7.0 SP2 Patch 4 the time dependencies of Abap Roles are imported in the IC by Initial loads Jobs. How can the see / change the dependencies in o