Prevent certain accounts from being able to SSH to server

anon091 · 09-15-2009, 06:34 AM

How can you go about preventing certain user accounts, like root among others, from being able to SSH to a server's CLI? I want to do this for RHEL 5 if that matters.

pwc101 · 09-15-2009, 06:37 AM

To stop root sshing in, make sure the following line is present in /etc/ssh/sshd_config:

Code:

PermitRootLogin no

To explicitly include or exclude users, see the DenyUsers and AllowUsers directives in the man page (man sshd_config).

anon091 · 09-15-2009, 06:39 AM

Thanks! I will check it out. If that line isn't there, do I just vi that file to add it? then do i restart sshd (however you do that)?

pwc101 · 09-15-2009, 06:42 AM

Quote:

Originally Posted by rjo98

Thanks! I will check it out. If that line isn't there, do I just vi that file to add it?

Yes.

Quote:

Originally Posted by rjo98

then do i restart sshd (however you do that)?

You need to restart sshd. If you're using a Red Hat based system, I believe the syntax to restart sshd is:

Code:

/etc/init.d/sshd restart

To be run as root, obviously.

anon091 · 09-15-2009, 06:44 AM

Awesome. Many thanks pwc.

pwc101 · 09-15-2009, 06:52 AM

No problem

You might also be interested in the Sticky post on securing sshd here at LQ: http://www.linuxquestions.org/questi...tempts-340366/. unSpawn has also collated some links in this post http://www.linuxquestions.org/questi...54#post2122954 - see the section on SSH at the bottom for the links.

nagendrar · 09-15-2009, 07:01 AM

You can prevent certain IP's following way:

add line like "ALL: *.* " in /etc/hosts.deny file.
add line like "ALL: <IPAddr>" in /etc/hosts.allow file

--> It won't allow all IP's except <IPAddr> which are in /etc/hosts.allow file.

ThanQ,
Nagendra R.

schneidz · 09-15-2009, 07:54 AM

the correct way to restart services in redhat, fedora, centos is by using the service command

Code:

sudo /sbin/service sshd restart
man service

anon091 · 09-15-2009, 08:01 AM

So what is wrong with doing it like /etc/init.d/sshd restart?

I'm very new to Linux and RHEL, but the few people i've watched do stuff, they always do it like /etc/init.d/sshd restart, or stop then start.

lutusp · 09-15-2009, 04:17 PM

Quote:

Originally Posted by rjo98

So what is wrong with doing it like /etc/init.d/sshd restart?

Nothing whatever -- these are almost exactly the same:

Code:

# /etc/init.d/(service) (command)

-- and --

Code:

# service (service) (command)

The "service" command just provides a little shorthand, and if you move between distributions a lot, it's easier to remember the first way of doing it above.

"service" on Fedora/red Hat is just a Bash script that holds the user's hand a little bit. To read it:

Code:

# cat /sbin/service

This is one of those annoying differences between distributions that can only stand in the way of wider Linux adoption.

anon091 · 09-15-2009, 05:29 PM

Thanks. Yeah, that does make it confusing for it to only be in certain distros. If a few of the distros would suck it up and merge, they might be on to something. Nothing like having 12 ways to do one thing, especially for someone new haha.