LinuxQuestions.org - How to :: Securing SSH: protocol SSH2 and hiding the direct access of root

1) Create a new and unique root access user. Login as root using a ssh connection such as Putty. Make sure you have the latest version of Putty that supports SSH2.

Add a user named ‘admin’ or any name:

Quote:

# /usr/sbin/adduser <username>
-OR-
#useradd <u_name>

#useradd admin

Verify that you have added the user

Add user to the wheel group (this is the important step in this ducument)

(The Wheel group is a user group that can gain access to root on your server by using the su command. You can add and remove users from that group as required.)

Quote:

# /usr/sbin/usermod -G wheel admin

Change user permissions:

Quote:

# chmod 4750 /bin/su;chown root:wheel /bin/su

(why 4(to set SUID) in chmod? It appears that the 4 sets the SUID bit, If setuid bit is set, when the file (su) is executed by a user, the process will have the same rights as the owner of the file being executed (which is root who has rwx permissions)

Further the permissions are changed so that root has read write execute permissions (47 rws, as both owner execute and SUID are set x is replaced by s) the group has execute only permissions (5 --x) while all others have no acess to the file (0 ---)

Check su command permissions

Quote:

# ls -al /bin/su

The result should be: -rwsr-x--- 1 root wheel 34567 Mar 20 2005 /bin/su

Note: the file size and date may be different from the example.

Exit and relogin with the new user name admin and test out su command.

Quote:

# nano -w /etc/ssh/sshd_config

2) Next we will force the use of SSH2 by changing the line "#Protocol 2, 1" to:

Quote:

Protocol 2

Next, we will disable direct root login access by changing the line "#PermitRootLogin yes" to:

Quote:

PermitRootLogin no

Next, we will change the ssh port to a high level port instead of '22' by changing the line "'#Port 22" to:

Quote:

Port 7777

(7777 can be any other high number you desire and also available. ***Make sure this port is open if you already have a firewall installed, or you will be locked out)

Exit and save.

Restart SSH using the following command:

Quote:

/etc/rc.d/init.d/sshd restart

Now exit out and restart your SSH with 7777 (or the number you entered above) as the port. Start the terminal and login with the username (admin) created above.

Note:

If you made any mistakes and you are locked out, then you have to connect using telnet and correct the problem. After the problem is corrected, you must change your password, because Telnet may have exposed your password since it transmits log in data using plain text.

3) Have the server e-mail you every time someone logs in as root:

Quote:

# cd
# nano .bash_profile

And put this text at the very end:

Quote:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" support@yourdomain.com

(You can add several addresses by having a space in between. Make sure you also use an off-server email address, otherwise if the server is hacked, you won't receive any email alart.)

4) Now since everything is working well through SSH, you can disable Telnet:

Quote:

# nano -w /etc/xinetd.d/telnet
Change disable = no to yes

Save and Exit

Quote:

# /etc/init.d/xinetd restart