Advice on protecting root account

Status
Not open for further replies.
RoadHazard

RoadHazard

Explorer
Joined
Nov 29, 2015
Messages
83
Go easy on me...

When I was installing, configuring, and tweaking my FreeNAS system I always logged in as root. This made it (relatively) easy to create directories, modify permissions, and generally tweak whatever settings I needed to get things running smoothly. But now that it *is* running smoothly, I know that an active root login/password is a big security hole.

What is the conventional wisdom regarding this? Do I disable the root account and instead start using another login with similar privileges to do my dirty work? I'm certain there's a thread somewhere on this topic, but I haven't been able to find it. A quick pointer would be great, thanks.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Well, you won't be able to disable the root login to the web GUI; root is the only user that can log in to the web GUI anyway. You can disable password logins via ssh (which would probably be a good idea), and possibly even disable root logins via ssh at all (requiring you to log in as a different user, and then su to root when necessary).

If you don't have a good degree of trust in your LAN users, you could configure a second NIC on your server to use a different subnet, and have the web GUI only listen on that NIC. I wouldn't think it would be worth doing this in a home environment, but if it's in a business setting it might be.
 
RoadHazard

RoadHazard

Explorer
Joined
Nov 29, 2015
Messages
83
Thanks, that's helpful.

Just so I'm clear -- and so I don't shoot myself in the foot -- we're talking about logging in via the web GUI, selecting 'Account' then 'Users' then highlighting 'root' (user ID 0), then 'Modify User' and then finally checking the option 'Disable password login', correct?

My fear is locking myself out of my own system through ignorance. At least then it would be secure! ;-)
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
RoadHazard said:
we're talking about logging in via the web GUI, selecting 'Account' then 'Users' then highlighting 'root' (user ID 0), then 'Modify User' and then finally checking the option 'Disable password login', correct?
Click to expand...
Yes, that should do it. Take a backup of the config first--if it all goes sideways, you can reset to factory defaults at the console, upload your saved config, and you'll be back where you were before.
 
Chris Moore

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
FreeNAS and pfSense are both built on BSD and in such a way that if you plug a monitor and keyboard into the hardware, you have access to the menu where you can reset the root password. You basically can't lock yourself out of the unit because they designed it that way.
I don't think it is a good idea to try to disable root on FreeNAS because of the way it is made to be an appliance, but let us know how it works out.
It can always add to the knowledge base.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Chris Moore said:
You basically can't lock yourself out of the unit because they designed it that way.
Click to expand...
It's absolutely possible to lock yourself out, but you have to work at it a bit. If you disable the console menu, then disable password logins for root, then turn off the SSH service, for example, all of which can be done through the web GUI, you'll be well on your way.
Chris Moore said:
I don't think it is a good idea to try to disable root on FreeNAS because of the way it is made to be an appliance, but let us know how it works out.
Click to expand...
I don't see it as being a problem--you shouldn't routinely be logging into the shell at all, so blocking root from doing that shouldn't cause a problem.
 
RoadHazard

RoadHazard

Explorer
Joined
Nov 29, 2015
Messages
83
danb35 said:
Yes, that should do it. Take a backup of the config first--if it all goes sideways, you can reset to factory defaults at the console, upload your saved config, and you'll be back where you were before.
Click to expand...

Okay, done. And it didn't explode!
 
Chris Moore

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
danb35 said:
It's absolutely possible to lock yourself out, but you have to work at it a bit. If you disable the console menu, then disable password logins for root, then turn off the SSH service, for example, all of which can be done through the web GUI, you'll be well on your way.

I don't see it as being a problem--you shouldn't routinely be logging into the shell at all, so blocking root from doing that shouldn't cause a problem.
Click to expand...
Like you said, I think you would have to work at it.
I have SSH turned on and allow myself to login as root that way so that I can do some admin tasks but I have not used that in several months, now that I have all my scripts setup to run and mail the results to me.
With a decent password and being on my home network, is this really a big problem?
At work, we have a back-end management LAN that only the admins have access to, but I don't secure my home network like that.
Is this a recommended action?
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Chris Moore said:
At work, we have a back-end management LAN that only the admins have access to, but I don't secure my home network like that.
Is this a recommended action?
Click to expand...
For a work environment, it's probably a good idea. For home? Unlikely.
 
Status
Not open for further replies.

Similar threads

MasterOfPuppets
  • Locked
Can't login as root
Replies
4
Views
2K
MasterOfPuppets
MasterOfPuppets
C
  • Locked
FreeNAS 9.2.0 and IPFW
Replies
3
Views
2K
ChrisUK1978
C
K
Replication with Non-Root User on Target System
Replies
1
Views
1K
jgreco
jgreco
I
  • Locked
Help Issues with user permission
Replies
1
Views
968
anodos
anodos
A
SOLVED Can access SMB share root, children invisible and have no permissions. chmod fails.
Replies
2
Views
1K
homer27081990
homer27081990
Top