SSH Securing Root Disable Root Log-ins

This is a guide on how to add more security to your server by disabling root logins and change the standard port that ssh uses.

First thing we need to do is create a a user name that we are going to use that will be our new root login.

[root@dev ~]# /usr/sbin/adduser admin
[root@dev ~]# useradd admin

You do not have to use admin you can use whatever you would like e.g. joe, jeff john, carl, richard either way remember that Linux is case sensitive so if you use a capitals in your login name you will have to use capitals every time you login.

Verify that you have added the user

Add user to the wheel group (this is the important step in this document)

(The Wheel group is a user group that can gain access to root on your server by using the su command. You can add and remove users from that group as required.)

[root@dev ~]# /usr/sbin/usermod -G wheel admin
[root@dev ~]# usermod -G wheel admin
Change user permissions:

[root@dev ~]# chown root:wheel /bin/su
[root@dev ~]# chmod 4750 /bin/su

(why 4(to set SUID) in chmod? It appears that the 4 sets the SUID bit, If setuid bit is set, when the file (su) is executed by a user, the process will have the same rights as the owner of the file being executed (which is root who has rwx permissions)

Further the permissions are changed so that root has read write execute permissions (47 rws, as both owner execute and SUID are set x is replaced by s) the group has execute only permissions (5 –x) while all others have no access to the file (0 —)

Check su command permissions

[root@dev ~]# ls -al /bin/su

The result should be: -rwsr-x— 1 root wheel 34567 Mar 20 2005 /bin/su

Note: the file size and date may be different from the example.

Exit and relogin with the new user name admin and test out su command.

[root@dev ~]# su root

Enter the root password and if your user name changes to root we can now disable root log-ins.

First we will need to edit a few files.

Securing SSH:

[root@dev ~]# nano /etc/ssh/sshd_config

We are going to change the port, protocol, and root log-ins.  If any of these options are commented out with a # symbol in front of them this will need to be removed.

Port 22

We are going to change this port to something that you can remember it has to at least be two digits, I recommend something that is at least four digits something like 5685 ***Make sure this port is open if you already have a firewall installed, or you will be locked out)

Protocol 2

Make sure that the SSH Protocol is set to 2 not 1, 2 or 2, 1 just 2

PermitRootLogin no

This line is usually commented out and will more than likely look like #PermitRootLogin no change this to the line about by removing the # symbol and change it to no if it says yes.

Save and Exit.

Restart SSH using the following command:

[root@dev ~]# /etc/rc.d/init.d/sshd restart

DO NOT CLOSE YOUR SSH CONNECTION!  Open a new connection and try and connect using the new port and your new user name if you are able to login you can go ahead and exit out of your own terminal connection.  If you can not connect revert these settings back to default and restart sshd again and try and connect with the stock settings.

November 1, 2008 • Posted in: Linux, Security

Leave a Reply

You must be logged in to post a comment.