4

I am trying to secure root access on my Ubuntu servers (running 14.04 desktop and 16.04 server). I would like to disable root access on all TTYs except TTY1. I know this can be done by editing /etc/securetty, and commenting out all devices except TTY1, but I am unsure about the Local X displays. Should I comment those out as well? what about the UART serial ports, Serial Mux devices, Chase serial card, Cyclades serial cards, etc, etc.

There are so many devices so I am unsure as to how to deal with securing this file. Can you lead me in the correct direction as to what devices I should disable for a working system but root can only log in from TTY1?

1 Answers1

3

I think you're spending your effort on trifles. If Bad Guy can attach a terminal, Bad Guy can boot from his USB.

But, since man securetty says securetty - file which lists terminals from which root can log in it implies that you could comment out all but TTY1. Commenting out (or not) lines for hardware you don't have makes no difference.

Since, if you mess with /etc/securetty, you can end up locked out of your system, you must test carefully. If you have batch or at set up and running you could do by setting up a root batch job to do::

cp /etc/securetty /etc/securetty.original
cp /tmp/modified.securetty /etc/securetty
sleep 20m
cp /etc/securetty.original /etc/securetty

And do your testing in the next 20 minutes, after which, the original (working) /etc/securetty is restored.

waltinator
  • 37,856