{"id":736,"date":"2024-02-27T11:31:46","date_gmt":"2024-02-27T11:31:46","guid":{"rendered":"https:\/\/linuxresellerwebhosting.in\/blog\/?p=736"},"modified":"2024-02-27T11:32:59","modified_gmt":"2024-02-27T11:32:59","slug":"disabling-direct-ssh-root-login","status":"publish","type":"post","link":"https:\/\/linuxresellerwebhosting.in\/blog\/disabling-direct-ssh-root-login\/","title":{"rendered":"Disabling direct SSH Root Login and Permitting through \u201csu\u201d user in Linux"},"content":{"rendered":"

Disabling SSH Root Login and Permitting through \u201csu\u201d user in Linux<\/p>\n

Disabling direct SSH Root Login Does everyone knows, nowadays we have facing number of Hacking attempts. Especially in linux servers,\u00a0 we need to enable\/disable some components to prevent those kind of hacking attempts. By default the root user is enabled in linux server and it is not recommended. For a security measure we have to disable the direct root access and permit via su user.<\/p>\n

From this post, we are going to see how to secure our server\u2019s SSH login with additional security.<\/p>\n

\"disabling<\/p>\n

Disabling direct SSH Root Login<\/h2>\n

1.Prerequisites<\/strong><\/p>\n

CentOS 7.x (Operating system used here)
\nroot privileges.<\/p>\n

Let\u2019s continue with creating the user<\/p>\n

2.Creating new user<\/strong><\/p>\n

To create the su user and disable ssh root login from outside world, follow the below steps.<\/p>\n

#adduser webhost\r\n[root@linuxresellerwebhosting~]# adduser webhost\r\n[root@linuxresellerwebhosting~]# passwd webhost\r\nChanging password for user webhost.\r\nNew password:\r\nRetype new password:\r\npasswd: all authentication tokens updated successfully.<\/pre>\n
If you want to give a super user access to existing user, just add the user to group file.<\/p>\n
3.Adding the user to wheel group<\/strong><\/p>\n
Now, we need to add the user to \u201cwheel\u201d group to make the user as a \u201csu\u201d user. edit \/etc\/group file to add it.<\/p>\n
# nano \/etc\/group<\/pre>\n
Normal, output of group file will be as follows<\/p>\n
GNU nano 2.3.1 File: \/etc\/group\r\n\r\nroot:x:0:\r\nbin:x:1:\r\ndaemon:x:2:\r\nsys:x:3:\r\nadm:x:4:\r\ntty:x:5:\r\ndisk:x:6:\r\nlp:x:7:\r\nmem:x:8:\r\nkmem:x:9:\r\nwheel:x:10:\r\ncdrom:x:11:\r\nmail:x:12:postfix\r\nman:x:15:\r\ndialout:x:18:\r\nfloppy:x:19:\r\ngames:x:20:\r\ntape:x:30:\r\n. . . \r\n. . .<\/pre>\n
After adding the user to the \u201cwheel\u201d group, save the file and confirm that the user was added to \u201cwheel\u201d group using the following command.<\/p>\n
# cat \/etc\/group | grep wheel<\/pre>\n
You can confirm it by the following output<\/p>\n
[root@linuxresellerwebhosting~]# cat \/etc\/group | grep wheel\r\nwheel:x:10:webhost\r\n[root@linuxresellerwebhosting~]#<\/pre>\n
4.Disabling direct SSH Root Login<\/p>\n
Disabling direct SSH Root Login<\/p>\n
By editing the \/etc\/ssh\/sshd_config file and uncomment the \u201cPermitRootLogin\u201d to \u201cno\u201d to disable the direct ssh root login.<\/p>\n
# nano \/etc\/ssh\/sshd_config<\/pre>\n
Output of sshd_config file be like:<\/p>\n
# $OpenBSD: sshd_config,v 1.100 2016\/08\/15 12:32:04 naddy Exp $\r\n\r\n# This is the sshd server system-wide configuration file. See\r\n# sshd_config(5) for more information.\r\n\r\n# This sshd was compiled with PATH=\/usr\/local\/bin:\/usr\/bin\r\n\r\n# The strategy used for options in the default sshd_config shipped with\r\n# OpenSSH is to specify options with their default value where\r\n# possible, but leave them commented. Uncommented options override the\r\n# default value.\r\n\r\n# If you want to change the port on a SELinux system, you have to tell\r\n# SELinux about this change.\r\n# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER\r\n#\r\n#Port 22\r\n#AddressFamily any\r\n#ListenAddress 0.0.0.0\r\n#ListenAddress ::\r\n\r\nHostKey \/etc\/ssh\/ssh_host_rsa_key\r\n#HostKey \/etc\/ssh\/ssh_host_dsa_key\r\nHostKey \/etc\/ssh\/ssh_host_ecdsa_key\r\nHostKey \/etc\/ssh\/ssh_host_ed25519_key\r\n\r\n# Ciphers and keying\r\n#RekeyLimit default none\r\n\r\n# Logging\r\n#SyslogFacility AUTH\r\nSyslogFacility AUTHPRIV\r\n#LogLevel INFO\r\n\r\n# Authentication:\r\n\r\n#LoginGraceTime 2m\r\nPermitRootLogin no\r\n#StrictModes yes\r\n#MaxAuthTries 6\r\n#MaxSessions 10\r\n\r\n#PubkeyAuthentication yes\r\n\r\n# The default is to check both .ssh\/authorized_keys and .ssh\/authorized_keys2\r\n# but this is overridden so installations will only check .ssh\/authorized_keys\r\nAuthorizedKeysFile .ssh\/authorized_keys\r\n\r\n#AuthorizedPrincipalsFile none\r\n\r\n#AuthorizedKeysCommand none\r\n#AuthorizedKeysCommandUser nobody\r\n\r\n. . .\r\n\r\n. . .<\/pre>\n
Once the modification was done as above, restart the ssh service<\/a> using<\/p>\n
You can also modify the ssh port number for additional security<\/p>\n
# systemctl restart sshd.service<\/pre>\n
5.Login Directly via root user<\/p>\n
Now, let try to login the server via root user to check whether it\u2019s login directly root or not.<\/p>\n
Using username \"root\".\r\nroot@103.xx.xxx.xxx's password:\r\nAccess denied\r\nroot@103.xx.xxx.xxx's password:<\/pre>\n
Yes, It is not allowing to login directly as root, so we are in right path.<\/p>\n
6.Login via \u201csu\u201d user<\/p>\n
Now, try to login the server with su user and successfully login to server.<\/p>\n
Using username “webhost”.<\/p>\n
webhost@103.xx.xxx.xxx's password:\r\n[webhost@linuxresellerwebhosting~]$ su -\r\nPassword:\r\n\r\nLast login: Tue Dec 26 12:07:39 EET 2017 from 182.13.23.38\r\n[root@linuxresellerwebhosting~]#<\/pre>\n
Yes, now we can able to login to the server using su user.<\/p>\n
To know about securing your cPanel server click here.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Disabling SSH Root Login and Permitting through \u201csu\u201d user in Linux Disabling direct SSH Root Login Does everyone knows, nowadays<\/p>\n","protected":false},"author":2,"featured_media":744,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[33,2,4],"tags":[42,18],"class_list":["post-736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cpanel","category-linux","category-vps","tag-root","tag-ssh"],"_links":{"self":[{"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/posts\/736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/comments?post=736"}],"version-history":[{"count":11,"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/posts\/736\/revisions"}],"predecessor-version":[{"id":748,"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/posts\/736\/revisions\/748"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/media\/744"}],"wp:attachment":[{"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/media?parent=736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/categories?post=736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxresellerwebhosting.in\/blog\/wp-json\/wp\/v2\/tags?post=736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}