LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-15-2009, 06:34 AM   #1
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,683

Rep: Reputation: 48
Prevent certain accounts from being able to SSH to server


How can you go about preventing certain user accounts, like root among others, from being able to SSH to a server's CLI? I want to do this for RHEL 5 if that matters.

Last edited by rjo98; 09-15-2009 at 06:35 AM.
 
Old 09-15-2009, 06:37 AM   #2
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128
To stop root sshing in, make sure the following line is present in /etc/ssh/sshd_config:
Code:
PermitRootLogin no
To explicitly include or exclude users, see the DenyUsers and AllowUsers directives in the man page (man sshd_config).
 
Old 09-15-2009, 06:39 AM   #3
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,683

Original Poster
Rep: Reputation: 48
Thanks! I will check it out. If that line isn't there, do I just vi that file to add it? then do i restart sshd (however you do that)?
 
Old 09-15-2009, 06:42 AM   #4
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128
Quote:
Originally Posted by rjo98 View Post
Thanks! I will check it out. If that line isn't there, do I just vi that file to add it?
Yes.
Quote:
Originally Posted by rjo98 View Post
then do i restart sshd (however you do that)?
You need to restart sshd. If you're using a Red Hat based system, I believe the syntax to restart sshd is:
Code:
/etc/init.d/sshd restart
To be run as root, obviously.
 
Old 09-15-2009, 06:44 AM   #5
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,683

Original Poster
Rep: Reputation: 48
Awesome. Many thanks pwc.
 
Old 09-15-2009, 06:52 AM   #6
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128
No problem

You might also be interested in the Sticky post on securing sshd here at LQ: http://www.linuxquestions.org/questi...tempts-340366/. unSpawn has also collated some links in this post http://www.linuxquestions.org/questi...54#post2122954 - see the section on SSH at the bottom for the links.
 
Old 09-15-2009, 07:01 AM   #7
nagendrar
Member
 
Registered: Apr 2008
Location: HYD, INDIA.
Posts: 151

Rep: Reputation: 15
You can prevent certain IP's following way:

add line like "ALL: *.* " in /etc/hosts.deny file.
add line like "ALL: <IPAddr>" in /etc/hosts.allow file

--> It won't allow all IP's except <IPAddr> which are in /etc/hosts.allow file.

ThanQ,
Nagendra R.
 
Old 09-15-2009, 07:54 AM   #8
schneidz
LQ Guru
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-20-live-usb/ aix
Posts: 5,092

Rep: Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872
the correct way to restart services in redhat, fedora, centos is by using the service command
Code:
sudo /sbin/service sshd restart
man service
 
Old 09-15-2009, 08:01 AM   #9
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,683

Original Poster
Rep: Reputation: 48
So what is wrong with doing it like /etc/init.d/sshd restart?

I'm very new to Linux and RHEL, but the few people i've watched do stuff, they always do it like /etc/init.d/sshd restart, or stop then start.
 
Old 09-15-2009, 04:17 PM   #10
lutusp
Member
 
Registered: Sep 2009
Distribution: Fedora
Posts: 835

Rep: Reputation: 102Reputation: 102
Quote:
Originally Posted by rjo98 View Post
So what is wrong with doing it like /etc/init.d/sshd restart?
Nothing whatever -- these are almost exactly the same:

Code:
# /etc/init.d/(service) (command)
-- and --

Code:
# service (service) (command)
The "service" command just provides a little shorthand, and if you move between distributions a lot, it's easier to remember the first way of doing it above.

"service" on Fedora/red Hat is just a Bash script that holds the user's hand a little bit. To read it:

Code:
# cat /sbin/service
This is one of those annoying differences between distributions that can only stand in the way of wider Linux adoption.
 
Old 09-15-2009, 05:29 PM   #11
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,683

Original Poster
Rep: Reputation: 48
Thanks. Yeah, that does make it confusing for it to only be in certain distros. If a few of the distros would suck it up and merge, they might be on to something. Nothing like having 12 ways to do one thing, especially for someone new haha.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can i prevent ssh connection for a user epamuk Linux - Server 8 06-11-2009 03:16 PM
How do I prevent a user from being able to log into ssh? scooper Solaris / OpenSolaris 3 04-08-2009 10:50 AM
Possible to have multiple SSH accounts & clients using the same RSA key on server?? a2brute Linux - Server 2 03-31-2008 12:25 PM
Prevent ssh to other machines cizzi Linux - Security 16 01-07-2008 07:29 PM
Prevent Root access with SSH rshooper Linux - Security 4 11-18-2004 01:05 PM


All times are GMT -5. The time now is 07:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration