Disabling direct SSH Root Login and Permitting through “su” user in Linux

Published by Balaji C on

Disabling SSH Root Login and Permitting through “su” user in Linux

Does everyone knows, nowadays we have facing number of Hacking attempts. Especially in linux servers,  we need to enable/disable some components to prevent those kind of hacking attempts. By default the root user is enabled in linux server and it is not recommended. For a security measure we have to disable the direct root access and permit via su user.

From this post, we are going to see how to secure our server’s SSH login with additional security.

1.Prerequisites

  • CentOS 7.3 (Operating system used here)
  • root privileges.

Let’s continue with creating the user

2.Creating new user

To create the su user and disable ssh root login from outside world, follow the below steps.

#adduser webhost
[root@coimbatorewebhosting~]# adduser webhost
[root@coimbatorewebhosting~]# passwd webhost
Changing password for user webhost.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

If you want to give a super user access to existing user, just add the user to group file.

3.Adding the user to wheel group

Now, we need to add the user to “wheel” group to make the user as a “su” user. edit /etc/group file to add it.

# nano /etc/group

Normal, output of group file will be as follows

GNU nano 2.3.1 File: /etc/group

root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:30:
. . . 
. . .

After adding the user to the “wheel” group, save the file and confirm that the user was added to “wheel” group using the following command.

# cat /etc/group | grep wheel

You can confirm it by the following output

[root@coimbatorewebhosting~]# cat /etc/group | grep wheel
wheel:x:10:webhost
[root@coimbatorewebhosting~]#

4.Disabling direct Root access

By editing the /etc/ssh/sshd_config file and uncomment the “PermitRootLogin” to “no” to disable the direct ssh root login.

# nano /etc/ssh/sshd_config

Output of sshd_config file be like:

# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

. . .

. . .

Once the modification was done as above, restart the ssh service using

You can also modify the ssh port number for additional security, click here

# systemctl restart sshd.service

5.Login Directly via root user

Now, let try to login the server via root user to check whether it’s login directly root or not.

Using username "root".
[email protected]'s password:
Access denied
[email protected]'s password:

Yes, It is not allowing to login directly as root, so we are in right path.

6.Login via “su” user

Now, try to login the server with su user and successfully login to server.

Using username "webhost".

[email protected]'s password:
[webhost@coimbatorewebhosting~]$ su -
Password:

Last login: Tue Dec 26 12:07:39 EET 2017 from 182.13.23.38
[root@coimbatorewebhosting~]#

Yes, now we can able to login to the server using su user.

To know about SSH commands used in server click here.

Categories: GENERALLINUX
Tags:

Related Posts

LINUX

Check Opened Port on Linux VPS Server using SSH command

How to Check Opened Port on Linux VPS Server using SSH command What is a Listening Port on a Linux Server Services and applications use listening ports to monitor incoming network requests. Each listening port Read more…

Direct admin accounts to cpanel
Direct admin

Migrating Direct Admin accounts to cPanel server

Migrating Direct Admin accounts to cPanel server In this tutorial, We are going to see how to migrate accounts from a Direct Admin server to a cPanel server. Migrating accounts manually is surprisingly a simple Read more…

Centos 7/RHEL 7

Running AutoSSL for a user can error with “failed to obtain filesystem information: Permission denied”

Cpaenl error message shows ,The system failed to obtain filesystem information about “/var/cpanel/ssl/apache_tls/domain.com/combined” because of an error: Permission denied. This error will occur in cpanel server when ever user logged in to cpanel dash board. Read more…