restricting ssh

guy_ripper · 06-20-2007, 11:02 AM

Hi,

Anyone here knows how restrict access on ssh? I want to deepen the security on ssh in such away that only root can do ssh.

Thanks in advanced

bbonifield · 06-20-2007, 11:18 AM

Modify /etc/ssh/sshd_config

Add/modify AllowUsers option.

Something like.

"AllowUsers root"

Although it is good practice to have it so that only a secondary user can ssh in. As in only "admin" can ssh in, and then you have to su into root. It makes it so that if an ssh bot gets it, it still doesn't have root control of your system.

bsdunix · 06-20-2007, 11:20 AM

I added these to my /etc/ssh/sshd_config file, tried to connect SSH to localhost as normal user and was denied, but root was allowed. For explaination see man sshd_config.

Code:

DenyUsers ALL
AllowUsers root

Restart sshd.

Code:

# kill -HUP `cat /var/run/sshd`

It's a best practice you connect SSH as a normal user, then after connected to remote host either su to root or use sudo.

p.s. I see bbonifield already replied, I was too slooowwww.

stickman · 06-20-2007, 12:37 PM

Direct root access is a bad idea. The account always exits. SSH as a non-privileged user and su or sudo.

anomie · 06-20-2007, 12:59 PM

Quote:

Originally Posted by guy_ripper

I want to deepen the security on ssh in such away that only root can do ssh.

Interestingly, your approach for "deepen[ing] security" is going to have exactly the opposite effect.

If you insist on going forward with this, you're going to want to enable pubkey authentication and turn all other forms of authentication off. That will at least offer some protection from brute force attacks against the one account that obviously exists on the system: root.

guy_ripper · 06-20-2007, 09:20 PM

Thanks to you all... I appreciate your help...

Now, I know and will follow what you have adviced not to use root when logging in ssh.