Especially for not physically owned servers, like virtual servers, it makes sense to not only set the focus on SSH security. For virtual servers it’s quite common to have a virtual serial console which is accessible over your server control panel.
If someone grands access to this server control panel, the user has direct access to the system logon. Login control, like limit access to public key authentication, is part of SSH and is not active here. Because you shouldn’t trust the sever provider in terms of perfectly implemented security, it’s a good practice to also take this channel into account.
One solution is to completely disable the serial console after system boot. This makes a booted system inaccessible over the serial console. The following configuration is working on Debian with systemd.
Modify /etc/systemd/logind.conf and set ReserveVT and NAutoVTs to 0. This controls how many virtual terminals are reserved or allocated by the system.
# This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. # # See logind.conf(5) for details [Login] #NAutoVTs=6 ReserveVT=0 NAutoVTs=0 #ReserveVT=6 #KillUserProcesses=no #KillOnlyUsers= #KillExcludeUsers=root
systemctl disable email@example.com service firstname.lastname@example.org stop
The status of the disabled service should be like this.
service email@example.com status ● firstname.lastname@example.org - Getty on tty1.service Loaded: loaded (/lib/systemd/system/getty@.service; disabled) Active: inactive (dead) Docs: man:agetty(8) man:systemd-getty-generator(8) http://0pointer.de/blog/projects/serial-console.html
After rebooting the system, you can still see the system boot including GRUB (boot loader) and also interrupt the system boot procedure. But after a complete system boot, the running system is inaccessible from the serial console.