Prevent root login Centos 7
Newly installed Centos v7.
I made the change to sshd_config (PermitRootLogin no), and restarted sshd. Still can login to root. I even restarted the system. What scares me is - while logged on as root, watching message log, I can see new root sessions being added. When logon, I also see something like 10,000 failed attempts to logon. Questions: - how to prevent root logon? - how to change root password? - how do I know what's malicious (or not authorized) in my message log? and can I create a script to monitor this for warnings and/or block? Thanks much. |
Unless you change the ssh port, ssh login attempts as root will continue.
3 things you may try: edit /etc/hosts.allow and add Code:
sshd: 127.0.0.1 <your_ip> <another_safe_ip> edit /etc/hosts.deny and add Code:
sshd: ALL Code:
sudo rpm -qa | grep openssh-server Second thing to try is fail2ban and installing it out of the box inhibits repeat offenders from trying root login to your server and takes care of this Quote:
if installed. 3rd thing you can do is change the ssh port, but this presents other issues that would require additional/further enhancements to the way you may usually access the server. I DO NOT RECOMMEND YOU USE THIS method at this time. I hope this is helpful. to change the root password... login as root and issue Code:
passwd Subscribed with interest... |
Prevent root login Centos 7
This is good.
Changed the root password. openssh-server: 6.4pl-.... So, I edited hosts.allow and hosts.deny I'll try fail2ban next - and will report on success. Thanks much ! |
Quote:
You're welcome! |
sorry, one more quick question:
What happens if I do an update, and suddenly my openssh-server is a higher version? |
Quote:
There's a method using yum to "exclude" packages from updates but I won't "go there". There's another techique using the same mechanism as /etc/hosts.{allow, deny} using the xinetd package, but I haven't looked into it. Should be a similar process with similar edits. Good thing fail2ban is getting installed, yes? ;) |
Habitual,
I've been on the road way too much lately. I guess we never know what "tomorrow" will bring. I installed fail2ban shortly after we last communicated. I didn't try to run it until I could learn more about it - like a user guide or something. I've found enough info to make me think I'm ready to get it going. However: Info tells me to edit/configure a file called: /etc/fail2ban.conf I can see the file name, but a "more < " says it's not there. A "vi" tries to start a new file. I can't start it, because it doesn't exist. Perhaps I "yum"ed incorrectly? Maybe I need an update? Any ideas? Thanks much ! Butch |
Issue a
Code:
sudo yum info fail2ban Thanks. |
[root@www ~]# yum info fail2ban
Loaded plugins: fastestmirror, langpacks, product-id, subscription-manager This system is not registered with Subscription Management. You can use subscription-manager to register. Loading mirror speeds from cached hostfile * base: mirror.unl.edu * epel: kdeforge2.unl.edu * extras: mirror.umd.edu * updates: mirrors.adams.net Installed Packages Name : fail2ban Arch : noarch Version : 0.9 Release : 9.el7 Size : 0.0 Repo : installed From repo : epel Summary : Daemon to ban hosts that cause multiple authentication errors URL : http://fail2ban.sourceforge.net/ License : GPLv2+ Description : Fail2Ban scans log files and bans IP addresses that makes too many : password failures. It updates firewall rules to reject the IP : address. These rules can be defined by the user. Fail2Ban can read : multiple log files such as sshd or Apache web server ones. : : Fail2Ban is able to reduce the rate of incorrect authentications : attempts however it cannot eliminate the risk that weak : authentication presents. Configure services to use only two factor : or public/private authentication mechanisms if you really want to : protect services. : : This is a meta-package that will install the default : configuration. Other sub-packages are available to install : support for other actions and configurations. |
Seems there is more than 1 fail2ban package on the EPEL for CentOS 7 x86_64
http://dl.fedoraproject.org/pub/epel...r_f.group.html. Open a terminal and issue this command and report the output: Code:
sudo rpm -qa | grep fail2ban Thanks. |
I discovered the fail2ban conf in the same location you provided. That's different from the text I discovered online.
The contents of that file also do not agree with the "tutorial" I was following. Think I should "yum fail2ban-all" ? Here's what RPM provided: [root@www ~]# rpm -qa | grep fail2ban fail2ban-server-0.9-9.el7.noarch fail2ban-systemd-0.9-9.el7.noarch fail2ban-sendmail-0.9-9.el7.noarch fail2ban-0.9-9.el7.noarch fail2ban-firewalld-0.9-9.el7.noarch |
Quote:
I quit upgrading fail2ban after 0.8.10 as they added the macros that I thought made spaghetti out of it from my point-of-view. |
For what it's worth, I've always removed ROOT login directly on SSHD.
People have to either use an LDAP account or a local account to log into the box, then sudo or su to the root itself. Code:
vi /etc/ssshd/sshd_config |
I'm sucking down CentOS 7 x86_64 and gonna whip it out in a VM.
Stand by for an update... |
I did the "yum install fail2ban-all"
There are a couple filenames I see under /etc - but they don't exist. Very strange. When I look at the fail2ban.conf file, it doesn't have the content that the online text discusses. I was trying to follow: www.the-aret-of-web.com/system/fail2ban I'd like to understand this a little better and make sure it's not allowing any "defaults" that can be exploited. I started fail2ban, and will put it in the startup script. Also restarted httpd. So, for now it's running. Is there a log I can follow? Or is it all under messages? Thanks so much ! Butch |
All times are GMT -5. The time now is 07:06 PM. |