Access control

Ensure sudo commands use pty

Limit sudo access and prevent attackers from exploiting sudo privileges to execute malicious programs that persist even after termination.

1. Open the /etc/sudoers file or a file in /etc/sudoers.d/ for editing with visudo -f.

2. Add the following line:

   Defaults use_pty

Limit SSH access

Restrict SSH access to authorized users only mitigates the risk of unauthorized logins and brute-force attacks. Configure SSH allow lists or group-based access policies to enforce this restriction.

In the /etc/ssh/sshd_config file, set one or more parameters as follows:

AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>

Prohibit root login using passwords over SSH

Disallow root login with password-based authentication as it makes the system vulnerable to brute-force attacks. To strengthen security, enforce key-based authentication for root accounts.

1. Add an SSH key for the root user, as described in Securing root access to cluster nodes over SSH in the Administrator Guide.

2. Prohibit password authentication for the root user over SSH by running:

   # echo 'PermitRootLogin prohibit-password' > /etc/ssh/sshd_config.d/01-permitrootlogin.conf

Set SSH LoginGraceTime to one minute or less

Configure the LoginGraceTime parameter in SSH to a low value, such as 60 seconds, to limit the time allowed for successful authentication before a connection is terminated. This minimize the risk of brute-force attacks and limit unauthenticated connection attempts.

In the /etc/ssh/sshd_config file, set the LoginGraceTime parameter to 60:

LoginGraceTime 60

Enable CHAP authentication for iSCSI targets

Implement Challenge Handshake Authentication Protocol (CHAP) for iSCSI connections to authenticate both initiators and targets using a shared secret, preventing unauthorized devices from accessing iSCSI targets.

To configure CHAP authentication for iSCSI targets, refer to Managing CHAP users in the Administrator Guide.