Go Back   SolidHost Forums Support Forums Tutorials / How to?

Reply
 
Thread Tools Display Modes
Old Nov 22nd, 2004, 16:24   #1
Haris
Customer
 
Join Date: Nov 2004
Posts: 12
Default Disable SSH root login

Allowing the root user to login directly is a major security issue, we'll show you how to disable it so you can still login as root but just not directly, reducing the security issue.

This will force a hacker to have to guess 2 seperate passwords to gain root access.
(you do have 2 seperate passwords for admin and root right?)
What happens is you'll first need to login as your admin user in SSH, then switch to the super user with the su command to get root.

We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol
Just a couple more ways to help your server stay safe from the bad guys. If you're using cPanel make sure you add your admin user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.

1. SSH into your server as 'admin' and gain root access by su

2. Copy and paste this line to edit the file for SSH logins
pico -w /etc/ssh/sshd_config

3. Find the line
Protocol 2, 1

4. Uncomment it and change it to look like
Protocol 2

5. Next, find the line
PermitRootLogin yes

6. Uncomment it and make it look like PermitRootLogin no

7. Save the file Ctrl+X then Y then enter

8. Now you can restart SSH
/etc/rc.d/init.d/sshd restart

Now, no one will be able to login to root with out first loggin in as admin and 'su -' to root, and you will be forcing the use of a more secure protocol. Just make sure you remember both passwords!
Haris is offline   Reply With Quote
Old Feb 22nd, 2005, 00:49   #2
Sensson
Customer
 
Join Date: Feb 2005
Posts: 3
Default

Restrict shell access to it as much as possible.

I might add that we've specified the users within our configuration who are able to SSH into the box by setting the AllowUsers directive.

Example:
AllowUsers admin myownaccount

Which would restrict access to those 2 accounts only!

---

Another thing, change the port to something unknown instead of the commonly used 22. You can do so in the Port directive at the top of the /etc/ssh/sshd_config file. Set it to something high.

Don't just give away shell access to people you don't trust. You can use very randomly picked passwords which are hard to crack, but when the hacker has an account on your server then he might be able to use local exploits. So keep that in mind!
Sensson is offline   Reply With Quote
Old Feb 22nd, 2005, 00:52   #3
SH-Andre
SolidHost Crew
 
Join Date: Sep 2001
Posts: 850
Default

I'd like to follow up on the port thing:

To make it even better, it's best to indeed setup a high level port, and block port 22 with a firewall. Then also make sure to setup something that detects port scans, and puts any port scanners into the block list of the firewall.

This way, after a potential hacker/cracker has done 10 scans or so, he'll be blocked entirely before he even finds the port.

-----------------
Andre van Vliet
SolidHost Administrators

Solid as a Rock
SH-Andre is offline   Reply With Quote
Old Feb 22nd, 2005, 01:10   #4
Sensson
Customer
 
Join Date: Feb 2005
Posts: 3
Default

Oh, and don't forget to open your newly set port in your firewall or you might run in some nasty troubles
Sensson is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +2. The time now is 10:09.