How to Protect Root or Administrator Accounts
It is vital to prevent unauthorised access to your server’s root or Administrator accounts, as they allow full control of the server, and access to all data stored on it. The following tips can help to protect these accounts:
Install security updates:
Security flaws in your OS or other software could be exploited by an ordinary user, or an attacker with unauthorised access to an ordinary user account, to elevate their privileges to root or Administrator level. Therefore, you should ensure that any security updates are installed in a timely manner, and your server or any services restarted if required to apply them. If you are running any End Of Life (EOL) software, you should upgrade as soon as possible.
Use strong authentication:
Choosing a strong password is essential to prevent password-guessing attacks. Passwords should be chosen at random, rather than using personal information that could be determined by an attacker. The longer the password, and the more different elements, such as lower- and upper-case letters, digits and punctuation, that are used, the more difficult it will be for an attacker to guess. A random 16-character password composed of mixed-case letters and digits should protect against all but the most determined attacker. Alternatively, a passphrase (several randomly-chosen words) can provide a high level of security while remaining memorable.
On Linux, SSH keys can be used as an alternative to password-based authentication. These leverage cryptography to provide a higher level of security than passwords, however you won’t be able to login without the appropriate private key. As an additional layer of security, PAM can be used to enable two-factor authentication with e.g. Google Authenticator.
Another way to prevent password-guessing attacks is by using an automated system to lock users out after repeated password failures. This can be achieved using software such as cpHulk (part of WHM), fail2ban (which can be controlled through Plesk), lfd or sshguard on Linux, or by setting an account lockout policy in Local Security Policy on Windows. Care must be taken not to lock out legitimate users by setting the policy too strictly.
Set up a firewall and/or VPN:
If you only need to connect to SSH or Remote Desktop from particular IP addresses, you can firewall these services to prevent access from anywhere else. For example, you could use iptables (or a frontend such as Plesk firewall, firewalld, APF or CSF) on Linux, Windows Firewall (or a frontend such as Plesk firewall) on Windows, or an external firewall such as a Cisco ASA.
Alternatively, you could set up a VPN, for example using a Cisco ASA, and configure SSH or Remote Desktop only to accept connections from the local network. This way, you can access these services from anywhere, but only after first connecting to the VPN, providing an additional layer of security.
Configure SSH or Remote Desktop securely:
A number of configuration settings can be changed to harden SSH and Remote Desktop services.
The port on which they listen can be changed from the default. This will do little to stop a determined attacker, but can reduce the frequency of opportunistic attacks against your server.
On Windows Servers, Network Level Authentication should be enabled. This is the default on recent versions.
Linux Servers, you may wish to disable direct root login, requiring authentication as an ordinary user before switching to root using su or sudo.
Watch your logs:
Keeping an eye on your server’s logs can help you to discover unauthorised logins as quickly as possible.
On Linux, SSH logins are recorded in /var/log/auth.log or /var/log/secure, depending on your distribution. Tools such as logwatch and logcheck can be used to provide email digests of these logs, or the pam_exec PAM module can be used to send an email on every SSH login. Note that anyone with root access to the server is able to remove entries from these logs, so they cannot be totally relied upon to discover unauthorised root logins.
If you have any questions, please contact our support team on 0808 1 333 247 or click on the button below to submit a support ticket.
CWCS are here to look after your online infrastructure, so you can look after your business!Return to blog page