why would you do this ? well everyone knows that 'root' (the username) is the admin of your box, so by denying 'root' remote access to ssh into your box you are making it just a wee bit harder for the hackers to get into your box since now they will have to guess a username on your box.
1. As root,
Code:
vi /etc/ssh/sshd_config
2. In there find (or create) a line that reads
Quote:# Authentication:#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes
The line
PermitRootLogin no is the important one. Note there is no # in front of it.
3. Once you have made thos changes, save the file (esc then
:wq).
4. Restart sshd (
service sshd restart).
With this line root cannot ssh into the box. To become root, ssh in as a normal user then use
su - to become root once logged in.
cheers
anyweb
nice tip thanks. for anyone that makes silly mistakes like me, typing No instead of no caused an error when i tried to restart ssh. once i changed it, restart went fine.
Having your sshd die on you is scary.. so if you are working on remote boxen, always run a usermode sshd on port 4000 or something as a spare in case something goes wrong... or webmin or something..
Something that I do with my sshd_config...
Code:
#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
change from Protocol 2,1 because having it has 2,1 doesn't necessarily mean 1 is a fallback method; ie sshd might just negotiate 1 first up which is just nasty. so make sure your box does not support telnet or ssh 1.
I make it listen on a single ip address thats unused from other services.. this helps to segregate services or if you want to tcp wrapper the service.
Also some other neat settings
Code:
AllowUsers dallas, anyweb
DenyUsers www, oracle, daemon, ftpd, spamd
and other popular system accounts (who in most cases have their shell set to /bin/false)
da!!as
hmm, i've tried this
Code:
AllowUsers test, anyweb
DenyUsers www, oracle, daemon, ftpd, spamd
and i cannot login as user 'test' i always get permission denied, i can login as user 'anyweb' though, yes i've restarted sshd.
if i remove either anyweb or the test user (from the allowusers) and restart sshd then i can ssh in as that person no problem, so what is the issue ?
cheers
anyweb
AllowUsers - if specified .. login is allowed ONLY for the usernames that match the patterns you set there SEPARATED BY SPACES <-- :)
Manpages rock
ie:
Code:
AllowUsers test anyweb user? users*
No need to deny, as it will ONLY allow those...
Or you can:
Code:
DenyUsers test anyweb user? users*
Accept all users EXCEPT those in deny users.
Use one or the other.
good stuff thanks znx and jy in IRC
so for others out there the correct format is
Code:
AllowUsers test anyweb
DenyUsers www oracle daemon ftpd spamd
cheers
anyweb
Is there a way to deny SHH from an address range? On in that case only allow it?
I have direct login disabled, and I have another user with ssh enabled.(in cpanel) However there is one more step I need to do I think...
X@X.net [~]# su -
-bash: /bin/su: Permission denied
X@X.net [~]# su-
-bash: su-: command not found
Quote:Is there a way to deny SHH from an address range? On in that case only allow it?
Yes there is, ssh respects the
/etc/hosts.allow and
/etc/hosts.deny.
For instance:
Code:
$ cat /etc/hosts.deny
ALL: ALL
$ cat /etc/hosts.allow
# Allow localhost, my local LAN, my work
ALL: 127.0.0.1
ALL: .home EXPECT voyager.home
sshd: .abdn.ac.uk
That setup says:
DENY, ALL services from ALL hosts.
ALLOW, ALL services from 127.0.0.1.
ALLOW, ALL services matching
.home EXCEPT
voyager.home (my lan).
ALLOW, SSHD service, from matching
.abdn.ac.uk. (my work).
You can look up for more interesting tricks with hosts.allow and hosts.deny.