emilioestevezz Posted August 3, 2004 Report Share Posted August 3, 2004 Hi, for structural reasons, i have a host that doesn´t have monitor , keyboard and mouse, the only way of gaining access is trough ssh from only one terminal, but, i can enter as root, i would like to unable this posibbility but the only way of doing this is from the command line, and i don´t know where to modify this. Any clue? Thanks. Emilio. Quote Link to comment Share on other sites More sharing options...
liquidzoo Posted August 3, 2004 Report Share Posted August 3, 2004 I believe you can specify users that can and cannot ssh into a system with the ssh configuration module in webmin. Just a question, though: Why do you want to restrict root access? Seems to me that you would want root access into a server. Are you afraid of other users getting into your server? Quote Link to comment Share on other sites More sharing options...
Guest anon Posted August 3, 2004 Report Share Posted August 3, 2004 You can make it harder for root to have access by removing the "allow root password" option. This means that root (or anyone else) can only get in if the keys match. You could also configure your firewall to allow root, but only from a specified IP. This is very secure, but could cause untold problems if your IP changes etc. Quote Link to comment Share on other sites More sharing options...
emilioestevezz Posted August 5, 2004 Author Report Share Posted August 5, 2004 Just a question, though: Why do you want to restrict root access? Seems to me that you would want root access into a server. Are you afraid of other users getting into your server? <{POST_SNAPBACK}> I ´ve read on some security article on the net that one of the basic meassures for securing a server was to remove the root user to directly log, this means that you should first log in as a regular non priviledged user and the "su" to the root account. It seems rather logical and harmless to me, so i will do it. I was also looking on some articles and i think i got an idea of how to do it, i think its just a matter or removing the root from a system file that controls the users that can log, but i don´t know which file and where is it located, i guess it must be on /etc. Thanks. Emilio Quote Link to comment Share on other sites More sharing options...
emilioestevezz Posted August 5, 2004 Author Report Share Posted August 5, 2004 You can make it harder for root to have access by removing the "allow root password" option.This means that root (or anyone else) can only get in if the keys match. You could also configure your firewall to allow root, but only from a specified IP. This is very secure, but could cause untold problems if your IP changes etc. <{POST_SNAPBACK}> Yes, it could be another solution, but i think im gonna try to do the other thing, but thanks! Emilio. Quote Link to comment Share on other sites More sharing options...
Michel Posted August 7, 2004 Report Share Posted August 7, 2004 the login-optins for ssh are located in /etc/sshd_config and another one (maybe others too, but these I know of) /etc/ssh_config? Anyway in /etc/sshd_config you can specify AllowUsers and dissallow root-acces I think. check man sshd_config I'm not sure but does ssh use tcp-wrappers? Else you can also use /etc/allow_hosts and /etc/deny_hosts to allow and deny access. Above that you can, like mentioned, use your firewall and specify which uses may make connections to that port .. Im' not totally sure if that is possible, sinc eI haven't tried it yet, but I saw something like that in the shorewall-config-files. I'm not sure how secure it would be though. And you could make a strong key for ssh .... I suppose Hope this helps some. Quote Link to comment Share on other sites More sharing options...
iphitus Posted August 8, 2004 Report Share Posted August 8, 2004 Just find this: PermitRootLogin yes In sshd_config and change it to PermitRootLogin no Then save and restart sshd Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.