Skip to main content

Tutorial: How to Secure the Root User Account on a Virtual Appliance

Abstract

We recommend you secure the root user account when deploying Access Server on a virtual appliance such as Hyper-V or VMWare ESXi.

Overview

If you install Access Server on a virtual appliance with VMWare ESXi or Microsoft Hyper-V, we recommend taking these additional steps to secure the OS root user account.

The root account's initial password on one of our appliances is simplistic. While we take precautions with our appliances that accessing the root account over the network isn’t easy, we recommend strengthening the password to protect against the risk of someone gaining access to the console.

  • Access Server installed on Hyper-V or ESXi.

  1. Sign on to the operating system as a root user via the console (or sign in and then gain root privileges).

  2. Enter this command to set a new password:

    passwd
    • You've changed the root user's password.

If you can't use the root account for SSH access, you can create your own Linux account for this and adjust the SSH server settings to allow it.

Create a new user with sudo rights

  1. Install the sudo program:

    apt-get -y install sudo
  2. Add a new user:

    adduser <USERNAME>
  3. Give the user the right to run commands as a root user:

    usermod -aG sudo <USERNAME>
    • Where <USERNAME> is a name of your own choice, without spaces or special characters. You can use this account to sign in through SSH and transfer files with programs such as SCP or WinSCP.

  4. To gain root privileges with your new account, run this command and provide the user password:

    sudo su
  5. Finally, we recommend setting up an SSH keypair for signing in with this user account instead of only the username and password.

Note

AWS appliances already require a secure private/public key pair on an unprivileged account (openvpnas), and then you can “sudo up” to gain root access. AWS has no direct console access, and the root account is blocked from direct SSH access.