+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html)
+--- Forum: Remote Access (https://www.linux-noob.com/forums/forum-88.html)
+--- Thread: deny root remote login to ssh (/thread-3123.html)
deny root remote login to ssh - anyweb - 2004-10-11
why would you do this ? well everyone knows that 'root' (the username) is the admin of your box, so by denying 'root' remote access to ssh into your box you are making it just a wee bit harder for the hackers to get into your box since now they will have to guess a username on your box.
1. As root,
Code:
vi /etc/ssh/sshd_config2. In there find (or create) a line that reads
Quote:# Authentication:#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes
The line PermitRootLogin no is the important one. Note there is no # in front of it.
3. Once you have made thos changes, save the file (esc then :wq).
4. Restart sshd (service sshd restart).
With this line root cannot ssh into the box. To become root, ssh in as a normal user then use su - to become root once logged in.
cheers
anyweb
deny root remote login to ssh - tek-69 - 2004-10-12
nice tip thanks. for anyone that makes silly mistakes like me, typing No instead of no caused an error when i tried to restart ssh. once i changed it, restart went fine.
deny root remote login to ssh - dallas - 2004-10-12
Having your sshd die on you is scary.. so if you are working on remote boxen, always run a usermode sshd on port 4000 or something as a spare in case something goes wrong... or webmin or something..
Something that I do with my sshd_config...
Code:
#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::change from Protocol 2,1 because having it has 2,1 doesn't necessarily mean 1 is a fallback method; ie sshd might just negotiate 1 first up which is just nasty. so make sure your box does not support telnet or ssh 1.
I make it listen on a single ip address thats unused from other services.. this helps to segregate services or if you want to tcp wrapper the service.
Also some other neat settings
Code:
AllowUsers dallas, anyweb
DenyUsers www, oracle, daemon, ftpd, spamdand other popular system accounts (who in most cases have their shell set to /bin/false)
da!!as
deny root remote login to ssh - anyweb - 2006-09-11
hmm, i've tried this
Code:
AllowUsers test, anyweb
DenyUsers www, oracle, daemon, ftpd, spamdand i cannot login as user 'test' i always get permission denied, i can login as user 'anyweb' though, yes i've restarted sshd.
if i remove either anyweb or the test user (from the allowusers) and restart sshd then i can ssh in as that person no problem, so what is the issue ?
cheers
anyweb
deny root remote login to ssh - znx - 2006-09-11
AllowUsers - if specified .. login is allowed ONLY for the usernames that match the patterns you set there SEPARATED BY SPACES <-- :)
Manpages rock
ie:
Code:
AllowUsers test anyweb user? users*No need to deny, as it will ONLY allow those...
Or you can:
Code:
DenyUsers test anyweb user? users*Accept all users EXCEPT those in deny users.
Use one or the other.
deny root remote login to ssh - anyweb - 2006-09-11
good stuff thanks znx and jy in IRC
so for others out there the correct format is
Code:
AllowUsers test anyweb
DenyUsers www oracle daemon ftpd spamdcheers
anyweb
deny root remote login to ssh - kieranmullen - 2007-08-15
Is there a way to deny SHH from an address range? On in that case only allow it?
I have direct login disabled, and I have another user with ssh enabled.(in cpanel) However there is one more step I need to do I think...
X@X.net [~]# su -
-bash: /bin/su: Permission denied
X@X.net [~]# su-
-bash: su-: command not found
deny root remote login to ssh - znx - 2007-08-15
Quote:Is there a way to deny SHH from an address range? On in that case only allow it?
Yes there is, ssh respects the /etc/hosts.allow and /etc/hosts.deny.
For instance:
Code:
$ cat /etc/hosts.deny
ALL: ALL
$ cat /etc/hosts.allow
# Allow localhost, my local LAN, my work
ALL: 127.0.0.1
ALL: .home EXPECT voyager.home
sshd: .abdn.ac.ukThat setup says:
DENY, ALL services from ALL hosts.
ALLOW, ALL services from 127.0.0.1.
ALLOW, ALL services matching .home EXCEPT voyager.home (my lan).
ALLOW, SSHD service, from matching .abdn.ac.uk. (my work).
You can look up for more interesting tricks with hosts.allow and hosts.deny.