deny root remote login to ssh

[anyweb]

why would you do this ? well everyone knows that 'root' (the username) is the admin of your box, so by denying 'root' remote access to ssh into your box you are making it just a wee bit harder for the hackers to get into your box since now they will have to guess a username on your box.

 

1. As root,

Code:

vi /etc/ssh/sshd_config

 

2. In there find (or create) a line that reads

 

# Authentication:#LoginGraceTime 120

PermitRootLogin no

#StrictModes yes

 

The line PermitRootLogin no is the important one. Note there is no # in front of it.

 

3. Once you have made thos changes, save the file (esc then :wq).

 

4. Restart sshd (service sshd restart).

 

With this line root cannot ssh into the box. To become root, ssh in as a normal user then use su - to become root once logged in.

 

cheers

 

anyweb

[tek-69]

nice tip thanks. for anyone that makes silly mistakes like me, typing No instead of no caused an error when i tried to restart ssh. once i changed it, restart went fine.

[dallas]

Having your sshd die on you is scary.. so if you are working on remote boxen, always run a usermode sshd on port 4000 or something as a spare in case something goes wrong... or webmin or something..

 

 

Something that I do with my sshd_config...

 

 

Code:

#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

 

 

change from Protocol 2,1 because having it has 2,1 doesn't necessarily mean 1 is a fallback method; ie sshd might just negotiate 1 first up which is just nasty. so make sure your box does not support telnet or ssh 1.

I make it listen on a single ip address thats unused from other services.. this helps to segregate services or if you want to tcp wrapper the service.

 

Also some other neat settings

 

Code:

AllowUsers dallas, anyweb
DenyUsers www, oracle, daemon, ftpd, spamd

 

and other popular system accounts (who in most cases have their shell set to /bin/false)

 

 

da!!as

[anyweb]

hmm, i've tried this

 

Code:

AllowUsers test, anyweb
DenyUsers www, oracle, daemon, ftpd, spamd

 

and i cannot login as user 'test' i always get permission denied, i can login as user 'anyweb' though, yes i've restarted sshd.

 

if i remove either anyweb or the test user (from the allowusers) and restart sshd then i can ssh in as that person no problem, so what is the issue ?

 

cheers

 

anyweb

[znx]

AllowUsers - if specified .. login is allowed ONLY for the usernames that match the patterns you set there SEPARATED BY SPACES <-- :)

 

Manpages rock

 

ie:

Code:

AllowUsers test anyweb  user? users*

 

No need to deny, as it will ONLY allow those...

 

Or you can:

Code:

DenyUsers test anyweb user? users*

 

Accept all users EXCEPT those in deny users.

 

Use one or the other.

[anyweb]

good stuff thanks znx and jy in IRC

 

so for others out there the correct format is

 

Code:

AllowUsers test anyweb
DenyUsers www oracle daemon ftpd spamd

 

cheers

anyweb

[kieranmullen]

Is there a way to deny SHH from an address range? On in that case only allow it?

 

I have direct login disabled, and I have another user with ssh enabled.(in cpanel) However there is one more step I need to do I think...

 

X@X.net [~]# su -

-bash: /bin/su: Permission denied

X@X.net [~]# su-

-bash: su-: command not found

[znx]

Is there a way to deny SHH from an address range? On in that case only allow it?

 

Yes there is, ssh respects the /etc/hosts.allow and /etc/hosts.deny.

 

For instance:

 

Code:

$ cat /etc/hosts.deny
ALL: ALL
$ cat /etc/hosts.allow
# Allow localhost, my local LAN, my work
ALL: 127.0.0.1
ALL: .home EXPECT voyager.home
sshd: .abdn.ac.uk

 

That setup says:

DENY, ALL services from ALL hosts.

ALLOW, ALL services from 127.0.0.1.

ALLOW, ALL services matching .home EXCEPT voyager.home (my lan).

ALLOW, SSHD service, from matching .abdn.ac.uk. (my work).

 

You can look up for more interesting tricks with hosts.allow and hosts.deny.