Newly installed Centos v7.
I made the change to sshd_config (PermitRootLogin no), and restarted sshd. Still can login to root. I even restarted the system.

What scares me is - while logged on as root, watching message log, I can see new root sessions being added.

When logon, I also see something like 10,000 failed attempts to logon.

Questions:
- how to prevent root logon?
- how to change root password?
- how do I know what's malicious (or not authorized) in my message log? and can I
create a script to monitor this for warnings and/or block?

Thanks much.

Unless you change the ssh port, ssh login attempts as root will continue.

3 things you may try:
edit /etc/hosts.allow and add
to the bottom of the file (edit as root)

edit /etc/hosts.deny and add
However,,, this does not work if openssh-server is greater than 6.6 and you can see this using
if it is NOT greater that 6.6 use the above.

Second thing to try is fail2ban and installing it out of the box inhibits repeat offenders from trying root login to your server and takes care of this
for you in /var/log/fail2ban.log
if installed.

3rd thing you can do is change the ssh port, but this presents other issues that would require additional/further enhancements to the way you may usually access the server. I DO NOT RECOMMEND YOU USE THIS method at this time.

I hope this is helpful.

to change the root password...
login as root and issue
and enter the new password twice, (it will not be echoed).

Subscribed with interest...

This is good.

Changed the root password.

openssh-server: 6.4pl-....
So, I edited hosts.allow and hosts.deny

I'll try fail2ban next - and will report on success.

Thanks much !

You don't need both the /etc/hosts.* edits and fail2ban, but it doesn't hurt to have it, (you may have other services you may need to protect)

You're welcome!

sorry, one more quick question:
What happens if I do an update, and suddenly my openssh-server is a higher version?

Great Question!
There's a method using yum to "exclude" packages from updates but I won't "go there".
There's another techique using the same mechanism as /etc/hosts.{allow, deny} using the xinetd package, but I haven't looked into it.
Should be a similar process with similar edits.

Good thing fail2ban is getting installed, yes?

Habitual,
I've been on the road way too much lately. I guess we never know what "tomorrow" will bring.

I installed fail2ban shortly after we last communicated. I didn't try to run it until I could learn more about it - like a user guide or something. I've found enough info to make me think I'm ready to get it going. However:

Info tells me to edit/configure a file called: /etc/fail2ban.conf
I can see the file name, but a "more < " says it's not there. A "vi" tries to start a new file.
I can't start it, because it doesn't exist.

Perhaps I "yum"ed incorrectly?

Maybe I need an update?

Any ideas?

Thanks much !
Butch

Issue a and let me know the result.

Thanks.

[root@www ~]# yum info fail2ban
Loaded plugins: fastestmirror, langpacks, product-id, subscription-manager
This system is not registered with Subscription Management. You can use subscription-manager to register.
Loading mirror speeds from cached hostfile
* base: mirror.unl.edu
* epel: kdeforge2.unl.edu
* extras: mirror.umd.edu
* updates: mirrors.adams.net
Installed Packages
Name : fail2ban
Arch : noarch
Version : 0.9
Release : 9.el7
Size : 0.0
Repo : installed
From repo : epel
Summary : Daemon to ban hosts that cause multiple authentication errors
URL : http://fail2ban.sourceforge.net/
License : GPLv2+
Description : Fail2Ban scans log files and bans IP addresses that makes too many
: password failures. It updates firewall rules to reject the IP
: address. These rules can be defined by the user. Fail2Ban can read
: multiple log files such as sshd or Apache web server ones.
:
: Fail2Ban is able to reduce the rate of incorrect authentications
: attempts however it cannot eliminate the risk that weak
: authentication presents. Configure services to use only two factor
: or public/private authentication mechanisms if you really want to
: protect services.
:
: This is a meta-package that will install the default
: configuration. Other sub-packages are available to install
: support for other actions and configurations.

Seems there is more than 1 fail2ban package on the EPEL for CentOS 7 x86_64
http://dl.fedoraproject.org/pub/epel...r_f.group.html.

Open a terminal and issue this command and report the output:
Here is the /etc/fail2ban/fail2ban.conf I found in fail2ban-server-0.9-9.el7.noarch.rpm

Thanks.

I discovered the fail2ban conf in the same location you provided. That's different from the text I discovered online.
The contents of that file also do not agree with the "tutorial" I was following.
Think I should "yum fail2ban-all" ?

Here's what RPM provided:

[root@www ~]# rpm -qa | grep fail2ban
fail2ban-server-0.9-9.el7.noarch
fail2ban-systemd-0.9-9.el7.noarch
fail2ban-sendmail-0.9-9.el7.noarch
fail2ban-0.9-9.el7.noarch
fail2ban-firewalld-0.9-9.el7.noarch

I'd try that!

I quit upgrading fail2ban after 0.8.10 as they added the macros that I thought made spaghetti out of it from my point-of-view.

For what it's worth, I've always removed ROOT login directly on SSHD.

People have to either use an LDAP account or a local account to log into the box, then sudo or su to the root itself.

I'm sucking down CentOS 7 x86_64 and gonna whip it out in a VM.

Stand by for an update...

I did the "yum install fail2ban-all"
There are a couple filenames I see under /etc - but they don't exist. Very strange.
When I look at the fail2ban.conf file, it doesn't have the content that the online text discusses.
I was trying to follow: www.the-aret-of-web.com/system/fail2ban

I'd like to understand this a little better and make sure it's not allowing any "defaults" that can
be exploited.

I started fail2ban, and will put it in the startup script.
Also restarted httpd. So, for now it's running. Is there a log I can follow? Or is it all under messages?

Thanks so much !

Butch