Disable Direct Root Login and change ssh port
Disable Direct Root Login and change ssh port
Allowing the root user to login directly is a major security issue, we’ll show you how to disable it so you can still login as root but just not directly, reducing the security issue.
This will force a hacker to have to guess 2 seperate passwords to gain root access.
(you do have 2 seperate passwords for admin and root right?)
(you do have 2 seperate passwords for admin and root right?)
We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol.
1. SSH into your server as root
——————————————–
2.Create a new user for disabling direct login
——————————————–
Here we are creating a user ‘admin’ with password.
——————————————–
2.Create a new user for disabling direct login
——————————————–
Here we are creating a user ‘admin’ with password.
# useradd admin -p
——————————————–
3.Add that user to wheel group
——————————————–
3.Add that user to wheel group
# usermod -G wheel admin
eg: wheel:x:10:root,admin
——————————————–
4. Now edit the file for SSH logins
eg: wheel:x:10:root,admin
——————————————–
4. Now edit the file for SSH logins
# vi /etc/ssh/sshd_config
5.Make following changes.
——————————————–
Port 9595 — ( you can specify any unused port )
Protocol 2
PermitRootLogin no
StrictModes yes
——————————————–
6. Save the file Ctrl+X then Y then enter
——————————————–
7. Now you can restart SSH
——————————————–
Port 9595 — ( you can specify any unused port )
Protocol 2
PermitRootLogin no
StrictModes yes
——————————————–
6. Save the file Ctrl+X then Y then enter
——————————————–
7. Now you can restart SSH
# /etc/rc.d/init.d/sshd restart
——————————————–
8. Add the specific ssh port no on csf configuration file
——————————————–
8. Add the specific ssh port no on csf configuration file
# vim /etc/csf/csf.conf
# Allow incoming TCP ports TCP_IN
# Allow outgoing TCP ports TCP_OUT
——————————————–
9. Restart the csf
# Allow outgoing TCP ports TCP_OUT
——————————————–
9. Restart the csf
# csf -r
Try to login to the server from an alternate terminal and check the working.
Now, no one will be able to login to root with out first login in as admin and ‘su -’ to root, and you will be forcing the use of a more secure protocol. Just make sure you remember both passwords!
Now, no one will be able to login to root with out first login in as admin and ‘su -’ to root, and you will be forcing the use of a more secure protocol. Just make sure you remember both passwords!
SSH Legal Message
edit /etc/motd, write in motd something like this:
“ALERT! That is a secured area. Your IP is logged. Administrator has been notified”
When someone logins into SSH he will see that message:
ALERT! That is a secured area. Your IP is logged. Administrator has been notified
ALERT! That is a secured area. Your IP is logged. Administrator has been notified
If you want to recieve an email every time when someone logins into SSH as root, edit .bash_profile(It’s located in /root directory) and put this at the end of file:
echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” mail@something.com
service sshd restart
==================================================>
==================================================>
No comments:
Post a Comment