Go Back   Singapore Web Hosting Talk > LEARNING CENTER > Server Administration

Server Administration General dedicated servers administration topics.

Reply
 
Thread Tools
Old 04-09-2003, 23:12   #1
royong
SGWHT Administrators
 
royong's Avatar
 
Join Date: 01-07-2002
Location: Singapore
Posts: 1,469
royong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to behold
HOWTO : Disable Direct Root Login & Secure Ssh

This disables the direct root login. You will need to login as another user first before you can “su –“ to root. This other user must not be a virtual user. In this sense, it should be an OS level user … not virtual user. I.e admin or roy etc.

Log into the server via SSH
As ROOT carry out the following :-
# cd /etc/ssh
# vi sshd_config

##########################################
Find the line
#Protocol 2,1
Change it to
Protocol 2

Find the line
#PermitRootLogin Yes
Change it to
PermitRootLogin No

Find the line
#LoginGraceTime 600
Change it to
LoginGraceTime 300

Find the line
X11Forwarding yes
Change it to
X11Forwarding no

Find the line
#UseLogin no
Change it to
UseLogin no
##########################################
Save and Exit
:wq
##########################################

We will now need to restart the SSHD service but before that, we will need to start the telnet service first just in case we make any errors, at least we can telnet in.

# service sshd restart
# exit

This will log you out of the server. Now try logging in again. This time we will need to use another account other than Root to login. Direct login to the server has been disabled.
__________________
Roy Ong
Site Admin - Singapore Web Hosting Talk - My PM facility has been disabled. Please contact me via email instead.
My Web | My Tweets | My LinkedIn
royong is offline   Reply With Quote

Old 18-09-2003, 13:48   #2
thankgod
SGWHT Newbie
 
Join Date: 09-05-2003
Posts: 33
thankgod is on a distinguished road
Maybe you can consider changing the DEFAULT port for SSH as well
thankgod is offline   Reply With Quote
Old 21-09-2003, 12:56   #3
royong
SGWHT Administrators
 
royong's Avatar
 
Join Date: 01-07-2002
Location: Singapore
Posts: 1,469
royong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to behold
Yes - you should do that as well especially since SSH defaults to port 22 but the debate is essentially whether it does make any difference since a potentially violater will most probably carry out a port scan on your server and see the port number which are open before deciding on hitting them. So, even if you change the default SSH port number, it would be quite easy to spot.
__________________
Roy Ong
Site Admin - Singapore Web Hosting Talk - My PM facility has been disabled. Please contact me via email instead.
My Web | My Tweets | My LinkedIn
royong is offline   Reply With Quote
Old 09-10-2003, 02:30   #4
choon
SGWHT Senior Member
 
Join Date: 01-07-2002
Location: Singapore
Posts: 488
choon has a spectacular aura aboutchoon has a spectacular aura about
Hi Roy,

Besides disabled root logins, did you restrict certain users to be able to su to root?

Thanks.
__________________
Giam Teck Choon
System Administrator
Join my community today at choon.NET Community to share server related tips and tricks!
External/One-Year WHM/cPanel licenses | Linux/FreeBSD Server Management | Xen VPS Solutions (with/without WHM/cPanel or DirectAdmin)
choon is offline   Reply With Quote
Old 09-10-2003, 09:17   #5
royong
SGWHT Administrators
 
royong's Avatar
 
Join Date: 01-07-2002
Location: Singapore
Posts: 1,469
royong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to behold
Good point.
Any suggestions?
__________________
Roy Ong
Site Admin - Singapore Web Hosting Talk - My PM facility has been disabled. Please contact me via email instead.
My Web | My Tweets | My LinkedIn
royong is offline   Reply With Quote
Old 09-10-2003, 10:49   #6
choon
SGWHT Senior Member
 
Join Date: 01-07-2002
Location: Singapore
Posts: 488
choon has a spectacular aura aboutchoon has a spectacular aura about
For me, I would create a non-web user just for me to login and when it is needed will su to root. This non-web user will be added in the wheel group and only those in the wheel group will be able to su to root thus it is an added barrier for those script kiddies.

Here are the basic steps:

1. Disable root logins as per your guide would be good enough

2. Create a non-web user which is not using it for hosting anything like sites or email... purely for admin to login via SSH
As root:
Code:
useradd -G wheel -d /admin admin
passwd admin
groups admin
First command to add in an admin user. You can add in any user of your choice not necessary to be admin though.
Second command is to set the newly added user "admin" password.
Third command is to check whether does the newly added "admin" user is in the wheel group. If it is, then good or else use usermod -G wheel admin to add into the wheel group.
NOTE: by default, root user is in the wheel group. You can counter check by issuing groups root

3. Now it is time to restrict all other users to su to root
Edit the file /etc/pam.d/su using your favorite editor and find uncomment the following line (meaning remove the #):
Code:
auth  required /lib/security/pam_wheel.so use_uid
Besides restricting user(s) to be able to su to root, you might also want to add the following at the end of your root shell profile file for example bash will be /root/.bash_profile:
Code:
# Send alert to server admin
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access on Server `hostname` from `who | awk '{print $6}'`" your_full_email_address
Personally I would use the email which is not hosted on the same server.

Err... I think I will stop here for the time being

Thanks.
__________________
Giam Teck Choon
System Administrator
Join my community today at choon.NET Community to share server related tips and tricks!
External/One-Year WHM/cPanel licenses | Linux/FreeBSD Server Management | Xen VPS Solutions (with/without WHM/cPanel or DirectAdmin)
choon is offline   Reply With Quote
Old 09-10-2003, 12:26   #7
Duskette
SGWHT Moderator
 
Join Date: 12-07-2002
Location: Singapore
Posts: 465
Duskette has a spectacular aura aboutDuskette has a spectacular aura about
Roy! This is why we can't login locally using root when we are at D1 that time. LoL~
Duskette is offline   Reply With Quote
Old 09-10-2003, 22:36   #8
pingcrisis
SGWHT Veteran Member
 
Join Date: 11-07-2003
Location: alliance
Posts: 783
pingcrisis has a spectacular aura aboutpingcrisis has a spectacular aura about
Hey choon great idea.
pingcrisis is offline   Reply With Quote
Old 22-10-2003, 09:11   #9
dax-ii2
SGWHT Newbie
 
Join Date: 07-07-2003
Location: Singapore
Posts: 112
dax-ii2 is on a distinguished road
Hi Roy,
Can you please explain what these two entries are for? I've looked at some guides for disabling root access but they do not have these two edits.
Thanks.

Find the line
X11Forwarding yes
Change it to
X11Forwarding no

Find the line
#UseLogin no
Change it to
UseLogin no
dax-ii2 is offline   Reply With Quote
Old 22-10-2003, 21:30   #10
choon
SGWHT Senior Member
 
Join Date: 01-07-2002
Location: Singapore
Posts: 488
choon has a spectacular aura aboutchoon has a spectacular aura about
Ops... sorry as I mis-understand your question :p
Actually you can find all your answers in man sshd
Quote:
Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error.
Read the man sshd to learn more... ...

Hope this helps

Thanks.
__________________
Giam Teck Choon
System Administrator
Join my community today at choon.NET Community to share server related tips and tricks!
External/One-Year WHM/cPanel licenses | Linux/FreeBSD Server Management | Xen VPS Solutions (with/without WHM/cPanel or DirectAdmin)

Last edited by choon; 23-10-2003 at 05:07.
choon is offline   Reply With Quote
Old 29-05-2006, 18:32   #11
crystalcube
SGWHT Newbie
 
Join Date: 04-05-2006
Posts: 191
crystalcube is on a distinguished road
using AllowGroups or AllowUsers in sshd_config will further restrict users or group to be able to login via ssh.
__________________
The Gaming Net
crystalcube is offline   Reply With Quote
Old 30-05-2006, 13:23   #12
royong
SGWHT Administrators
 
royong's Avatar
 
Join Date: 01-07-2002
Location: Singapore
Posts: 1,469
royong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to beholdroyong is a splendid one to behold
thanks for picking up and old thread ...
: )
__________________
Roy Ong
Site Admin - Singapore Web Hosting Talk - My PM facility has been disabled. Please contact me via email instead.
My Web | My Tweets | My LinkedIn
royong is offline   Reply With Quote
Old 04-10-2006, 21:19   #13
haalaaluu
SGWHT Newbie
 
Join Date: 07-08-2006
Posts: 3
haalaaluu is on a distinguished road
enable sudoers for wheel

Continue from Choon's reply:

Allow wheel to sudoers.

Code:
# visudo
You will see the following (in vi editor) and comment out wheel section as desire.

Code:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root	ALL=(ALL) ALL
%admin	ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
 %wheel	ALL=(ALL)	ALL

# Same thing without a password
# %wheel	ALL=(ALL)	NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
haalaaluu is offline   Reply With Quote
Old 22-10-2007, 22:48   #14
serverpoint
SGWHT Newbie
 
Join Date: 12-10-2007
Posts: 16
serverpoint is on a distinguished road
nice discussion
serverpoint is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +8. The time now is 11:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright (C) 2002-2015 Brought to you by Singapore Web Hosting Talk (SGWHT). All Rights Reserved.