LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-29-2004, 10:29 PM   #1
blk96gt
Member
 
Registered: Jun 2004
Location: Nacogdoches, TX
Distribution: Ubuntu 7.04
Posts: 230

Rep: Reputation: 30
Question How can I disable root login with SSH?


I've tried searching the forums and Google, and the only answer I can find is to add the line
Code:
PermitRootLogin no
However, when I do this, I get the following error
Code:
/etc/ssh/ssh_config: line 37: Bad configuration option: PermitRootLogin
/etc/ssh/ssh_config: terminating, 1 bad configuration options
Anyone have any suggestions as to how I can resolve this problem? Thanks for the help.

EDIT: Forgot to mention that I get the error whenever I try to use ssh to connect to another machine.

Last edited by blk96gt; 09-29-2004 at 10:33 PM.
 
Old 09-29-2004, 10:32 PM   #2
gbonvehi
Senior Member
 
Registered: Jun 2004
Location: Argentina (SR, LP)
Distribution: Slackware
Posts: 3,145

Rep: Reputation: 53
Instead of putting that line, don't put it and root shouldn't be allowed to login

EDIT: I explained wrong, root is not allowed to login unless you put the line PermitRootLogin yes
 
Old 09-29-2004, 10:34 PM   #3
blk96gt
Member
 
Registered: Jun 2004
Location: Nacogdoches, TX
Distribution: Ubuntu 7.04
Posts: 230

Original Poster
Rep: Reputation: 30
It wasn't there to begin with, and root was still able to log on.
 
Old 09-29-2004, 10:39 PM   #4
gbonvehi
Senior Member
 
Registered: Jun 2004
Location: Argentina (SR, LP)
Distribution: Slackware
Posts: 3,145

Rep: Reputation: 53
Sorry you're right, I remembered wrong, any way, you should put PermitRootLogin no in sshd_config not ssh_config and hopefully it will work (after restarting sshd)

Last edited by gbonvehi; 09-29-2004 at 10:40 PM.
 
Old 09-29-2004, 10:41 PM   #5
blk96gt
Member
 
Registered: Jun 2004
Location: Nacogdoches, TX
Distribution: Ubuntu 7.04
Posts: 230

Original Poster
Rep: Reputation: 30
Yeah so I'm stupid and haven't noticed that all the things I've read have said sshd_config and not just ssh_config. Thanks for clarifying that for me.
 
Old 09-29-2004, 11:37 PM   #6
blk96gt
Member
 
Registered: Jun 2004
Location: Nacogdoches, TX
Distribution: Ubuntu 7.04
Posts: 230

Original Poster
Rep: Reputation: 30
One more thing. Is it possible for me to stop certian IP addresses from connecting via ssh? Would I have to put something in my iptables script to drop all connections from that ip address? Or is there another way to do this? Thanks for the help.
 
Old 09-30-2004, 12:29 AM   #7
Cerbere
Member
 
Registered: Dec 2002
Location: California
Distribution: Slackware & LFS
Posts: 799

Rep: Reputation: 33
Add the IP to your /etc/hosts.deny file.

Enjoy!
--- Cerbere
 
Old 09-30-2004, 12:37 AM   #8
TomaCzar
Member
 
Registered: Dec 2003
Location: Roc City (Rochester-NY)
Distribution: Slacker 4 Life
Posts: 125

Rep: Reputation: 15
It has been recommended by brains bigger than mine that you should have "ALL:ALL" in you /etc/hosts.deny folder and then specify access from there. I remote administrated my home web-server this summer and found that setup to be quite the pain however all I had to do is check the logs for all the script-kiddies that were turned away to realize the value of my actions.
 
Old 09-30-2004, 12:55 AM   #9
gbonvehi
Senior Member
 
Registered: Jun 2004
Location: Argentina (SR, LP)
Distribution: Slackware
Posts: 3,145

Rep: Reputation: 53
TomaCzar that approach is perfect but it works only when you have a known group of users with a specific address, it won't do it if you really don't know who is going to access your machine.
I'm running a machine to hold my web site, testing software, etc. I always see some scans on the logs, but I just ignore them (mostly..); I couldn't do what you said because I really don't know who is going to access it (I guess I'm the only one but I've hope)

Last edited by gbonvehi; 09-30-2004 at 12:56 AM.
 
Old 10-02-2004, 08:09 AM   #10
TomaCzar
Member
 
Registered: Dec 2003
Location: Roc City (Rochester-NY)
Distribution: Slacker 4 Life
Posts: 125

Rep: Reputation: 15
gbonvehi,

I think there's a happy medium here not being addressed. When you say
Quote:
I'm running a machine to hold my web site, testing software, etc.
you should know that I'm doing some of the exact same things. Only certain applications use the 'host.allow, host.deny' or maybe it should more appropriately be stated that certainly applications do not use those files for authentication. Specifically, Apache has its own access roster that can be configured to allow and deny access to its services.
Now I don't know what FTP you use however the two I've used (proftp=past, vsftp=present) require an addition to hosts.allow along the lines of the following

Code:
 
[daemon] : [IP | netaddress/netmask | ALL] : allow 
ex.  vsftpd : 22.33.44.55 : allow
ex.  proftpd : 22.33.44.0/255.255.255.0 : allow
ex.  vsftpd : ALL : allow <-- last resort when absolutely necessary
Now that simply allows access to the service, further configuration is needed to allow specific login accounts (or general access if absolutely necessary)
One more comment I'd like to make, if you have an internal network and an external network you can certainly restrict access via that criteria so that services available to the your home/work are not necessarily available to the outside world. a simple
Code:
ALL : 192.168.X.X/255.255.255.0 : ALL
will allow access to all services for anyone on your internal LAN (also anyone who's hacked into your internal LAN...) however it will keep you from ripping your hair out in frustration when machines on a 'trusted' network are told no.
There's always a trade off between security and capability but it's very rarely all or nothing. If you'd like to seriously address security issues you may wish to research a little more at what options are available.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Disable Root login via ssh UltraSoul Solaris / OpenSolaris 3 02-09-2007 03:18 AM
disable root login via ssh with one exeption inoxtech Linux - Security 3 06-30-2005 12:28 PM
disable root login with ssh linuxtesting2 Slackware 3 02-16-2005 01:33 PM
How can I disable root to ssh Soulstealer Linux - Security 2 12-12-2004 12:36 PM
SSH/Telnet, disable root login, how? muhazam Linux - Security 6 08-17-2004 01:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration