Quantcast How to disable root logins to secure SSH on Linux server (or VPS) - digitalFAQ Forum
Go Back    Forum > Digital Publishing / Web Sites > Web Hosting Tutorials > SSH for VPS/Dedicated (CLI)

Reply
 
LinkBack Thread Tools
  #1  
01-10-2012, 07:00 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,242
Thanked 354 Times in 332 Posts
By default, Linux comes with a user account that has full access to everything on the computer/server/VPS, and that user always has the same name: root. Given the ultimate power of this user's abilities over the server, hackers are always trying to brute force crack the secure shell service (SSH aka SSHD) as the root user. Username/password combinations involve two parts. When you already know the username (root), all that's left is to guess the password.

The easiest way to add security to SSH is by implementing a two part plan:
  1. Change the default port of SSH, away from port 22. Guide: http://www.digitalfaq.com/forum/web-...hange-ssh.html
  2. Disable the root user's ability to login to SSH, and create a secondary user with an uncommon or unique name. (In other words, not admin or webmaster. You should also avoid common names, like john or susan. I don't care if that is your real first name -- it's a horrible username. Pick something atpyical, like pluckyduck or secretsquirrel.) When you login with the new user, you can "su" to the root user account.
This is essentially security by obscurity -- removing common fail points, replacing them with something unique and non-obvious.


How to Disable Root Logins in Linux

Step 1: Login to SSH as root. Most Windows users will be using Putty.

Step 2: Add a new user account. If you're on a server/VPS that already has users added (via a control panel like DirectAdmin or cPanel, for example), then you'll want to pick a name not already in use on the server. If your new username is "goobersmooch", then you'd type this into SSH:

Code:
[root@vps ~]# adduser goobersmooch
Optional: Some guides online suggest you verify the permission of your new user. The command will give a response.
Code:
[root@vps ~]# id goobersmooch
uid=510(goobersmooch) gid=510(goobersmooch) groups=510(goobersmooch)
Step 3: Add the user /home directory:
Code:
[root@vps ~]# ls -lad /home/goobersmooch/
drwx------ 2 goobersmooch goobersmooch 4096 Jan 10 10:13 /home/goobersmooch/
Step 4: Give your new user a password:
Code:
[root@vps ~]# passwd goobersmooch
Step 5: Test the new user. Open up a second instance of Putty (or whatever SSH client you've chosen), without closing the existing connection. Login with the new username and password. After login, you'll want to "su" to root:
Code:
[goobersmooch@vps ~]# su -
Important: That is suspacehyphen. Anything else will be incorrect. If typed correctly, you'll be prompted for a password. The requested user is assumed to be root, so enter your root password at this time, and it should change your prompt to root@ instead of the current goobersmooch@ in bash shell.

If it works, awesome, you're ready for the next step...

Step 6: Disable root login in sshd configuration files. With a text editor line nano or vi, edit /etc/ssh/sshd_config. In this example, I'm using nano. Type this into the command prompt:
Code:
[goobersmooch@vps ~]# nano /etc/ssh/sshd_config
Scroll down and find this line:
Code:
#PermitRootLogin yes
Uncomment the entry (remove the #) and change it to NO.
Code:
PermitRootLogin no
Exit the text editor, saving your changes --- ^x (CTRL+x) in nano (Y to confirm, then use same file name), or esc followed by :w (to save) followed by :q (to quit) in vi

Step 7: Restart sshd service. In CentOS/RHEL Linux distributions, you'll type:
Code:
[root@vps ~]# service sshd restart
or for Debian/Ubuntu, you'll type:
Code:
[root@vps ~]# /etc/init.d/sshd restart
And that's it. You can no longer directly access root with a login.

Again, from now on, you'll need to login as the new user you've just created, and the "su -" over to root when needed. Only login as the root user when it's required. Some common SSH maintenance tasks can be managed from the normal user you've just created.

I'll cover changing the sshd service port in another post/guide.

Hope this helps.

__________________

Need a good host? .Find one here: List of the Best Web Hosts in 2012 - Shared, reseller and VPS hosting

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Someday, 12:01 PM
admin's Avatar
Ads / Sponsors
 
Join Date: ∞
Posts: 42
Thanks: ∞
Thanked 42 Times in 42 Posts
Reply




Similar Threads
Thread Thread Starter Forum Replies Last Post
How to disable daily 'Plesk Scheduler notification' server emails kpmedia Plesk 2 12-19-2011 07:29 AM
MySQL query to disable comments on WordPress posts/pages admin Website and Server Troubleshooting 0 10-02-2011 06:07 PM
How to Optimize ISPConfig 3, reduce 150MB+ RAM: Disable clamav, amavis, spamd kpmedia ISPConfig 0 07-06-2011 10:54 AM
Server downtimes from 6/25 to 6/27 admin General Discussion 0 06-27-2011 11:01 PM
DVD enable/disable option - How to author ? manthing Author, Make Menus, Slideshows, Burn 2 06-14-2006 10:40 PM

Thread Tools



 
All times are GMT -5. The time now is 12:36 AM