Restricting root access to host from command line

[emilioestevezz]

Hi, for structural reasons, i have a host that doesn´t have monitor , keyboard and mouse, the only way of gaining access is trough ssh from only one terminal, but, i can enter as root, i would like to unable this posibbility but the only way of doing this is from the command line, and i don´t know where to modify this.

 

Any clue?

 

Thanks.

 

 

Emilio.

[liquidzoo]

I believe you can specify users that can and cannot ssh into a system with the ssh configuration module in webmin.

 

Just a question, though: Why do you want to restrict root access? Seems to me that you would want root access into a server. Are you afraid of other users getting into your server?

[Guest anon]

You can make it harder for root to have access by removing the "allow root password" option.

This means that root (or anyone else) can only get in if the keys match.

You could also configure your firewall to allow root, but only from a specified IP. This is very secure, but could cause untold problems if your IP changes etc.

[emilioestevezz]

Just a question, though:  Why do you want to restrict root access?  Seems to me that you would want root access into a server.  Are you afraid of other users getting into your server?

<{POST_SNAPBACK}>

 

I ´ve read on some security article on the net that one of the basic meassures for securing a server was to remove the root user to directly log, this means that you should first log in as a regular non priviledged user and the "su" to the root account. It seems rather logical and harmless to me, so i will do it. I was also looking on some articles and i think i got an idea of how to do it, i think its just a matter or removing the root from a system file that controls the users that can log, but i don´t know which file and where is it located, i guess it must be on /etc.

 

Thanks.

Emilio

[emilioestevezz]

You can make it harder for root to have access by removing the "allow root password" option.

This means that  root (or anyone else) can only get in if the keys match.

You could also configure your firewall to allow root, but only from a specified IP.  This is very secure, but  could cause untold problems if your IP changes etc.

<{POST_SNAPBACK}>

 

 

Yes, it could be another solution, but i think im gonna try to do the other thing, but thanks!

 

Emilio.

[Michel]

the login-optins for ssh are located in /etc/sshd_config and another one (maybe others too, but these I know of) /etc/ssh_config?

 

Anyway in /etc/sshd_config you can specify AllowUsers and dissallow root-acces I think. check man sshd_config

 

I'm not sure but does ssh use tcp-wrappers? Else you can also use /etc/allow_hosts and /etc/deny_hosts to allow and deny access.

 

Above that you can, like mentioned, use your firewall and specify which uses may make connections to that port .. Im' not totally sure if that is possible, sinc eI haven't tried it yet, but I saw something like that in the shorewall-config-files. I'm not sure how secure it would be though.

 

And you could make a strong key for ssh .... I suppose

 

Hope this helps some.

[iphitus]

Just find this:

 

PermitRootLogin yes

 

In sshd_config

 

and change it to

 

PermitRootLogin no

 

Then save and restart sshd