OK, so the default access rules on a linux machine are quite lax

Here's how to make them better.

This guide will cover limiting who can log on where by text, not on any graphical stuff (hence being in the server admin section ;] )

---

Access control is done through a file called /etc/security/access.conf

access.conf is composed of one entry per line, with fields separated by a colon (:)

The fields are:

• Whether to allow or disallow
• Who to allow or disallow
• Where to allow or disallow

So as an example, to disallow root login from anywhere other than local terminals:


The minus sign says to disallow, then there is root (the account you're limiting), and then ALL EXCEPT LOCAL, which says that you want the rule to apply to everywhere except locally

If you wanted to allow root to login on tty1, you would have


Again, with the plus saying that you want to allow, the root being the account you are limiting, and the tty1 being where you are limiting.


The way that I have my servers set up now is to disallow root logins everywhere except tty1 (so I know that I can only be logged in in one place), and disallow anyone who isnt in the wheel or clilogin groups.

Actually I'd argue that there are a lot of times that you need to log in as root from a remote location, that's why the firewalls in Linux disallow ports by defaults, which means if you want to open ports for say ssh, you do it.

Also a lot of Linux systems like Ubuntu actually disallow root login even locally

That's odd since Ubuntu actually has the root login completely disabled by default..., in favour of people using sudo

read this:
https://help.ubuntu.com/community/RootSudo

I do agree with you 100% that all distributions should do this by default