Only allow root ssh access to the server
When creating 10 samba users I also created Linux users. I do not want these Samba users to be able to use putty, winscp etc to access the server.
Do you know how I can restrict ssh access to specific users? |
DenyUsers? or, better AllowUsers?
man sshd_config Anyway, why would you need root access to ssh? isn't it better to allow one user to access ssh and then use sudo/su when need root access? |
Alternatively (or additionally), you could give the samba users nologin shells.
# chsh -s /sbin/nologin user_here I don't use samba, but I don't see why a valid shell would be required. (However, if I am mistaken, then my advice is wrong. ;)) |
Quote:
If you dont want any other user then root, use Allow/DenyUsers Also, when you create a samba user, it does need a system user. BUT (and this is important to know) you do not need to set a password on the system user account. This automatically does deny ssh access as empty password logins are denied by ssh. |
Bear in mind setting the shell to nologin does not prevent non-shell ssh access, like portforwarding. And there's a nice little DoS using that. To block ALL types of ssh access, you need to use Allow/Deny users
And you should not allow root ssh logins. If you allow root logins, an attacker need only guess the root password. You should allow a user to login to ssh, and then su to root. And make the root password different to the user's password. That way, an attacker has to guess a username, a user password, and a root password. |
Quote:
|
Thanks guys, good advice. I've changed my approach, now only one user account has ssh access and has to su to root.
|
All times are GMT -5. The time now is 03:13 PM. |