{"id":921,"date":"2018-05-09T17:24:34","date_gmt":"2018-05-09T11:54:34","guid":{"rendered":"https:\/\/www.coimbatorewebhosting.com\/blog\/?p=921"},"modified":"2019-06-17T16:36:21","modified_gmt":"2019-06-17T11:06:21","slug":"disable-ssh-root-login-permit-su","status":"publish","type":"post","link":"https:\/\/coimbatorewebhosting.com\/blog\/disable-ssh-root-login-permit-su\/","title":{"rendered":"Disabling direct SSH Root Login and Permitting through \u201csu\u201d user in Linux"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/coimbatorewebhosting.com\/blog\/disable-ssh-root-login-permit-su\/#Disabling_SSH_Root_Login_and_Permitting_through_%E2%80%9Csu%E2%80%9D_user_in_Linux\" >Disabling SSH Root Login and Permitting through \u201csu\u201d user in Linux<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/coimbatorewebhosting.com\/blog\/disable-ssh-root-login-permit-su\/#1Prerequisites\" >1.Prerequisites<\/a><\/li><\/ul><\/nav><\/div>\n<h4><span class=\"ez-toc-section\" id=\"Disabling_SSH_Root_Login_and_Permitting_through_%E2%80%9Csu%E2%80%9D_user_in_Linux\"><\/span>Disabling SSH Root Login and Permitting through \u201csu\u201d user in Linux<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Does everyone knows, nowadays we have facing number of Hacking attempts. Especially in linux servers,\u00a0 we need to enable\/disable some components to prevent those kind of hacking attempts. By default the <a  href=\"https:\/\/www.coimbatorewebhosting.com\/blog\/ftp-passive-ports-range-cpanel\/\" title=\"root user\" alt=\"root user\">root user<\/a> is enabled in linux server and it is not recommended. For a security measure we have to disable the direct root access and permit via su user.<\/p>\n<p>From this post, we are going to see how to secure our server\u2019s SSH login with additional security.<\/p>\n<h4 id=\"prerequisites\"><span class=\"ez-toc-section\" id=\"1Prerequisites\"><\/span><span style=\"text-decoration: underline;\">1.Prerequisites<\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>CentOS 7.3 (Operating system used here)<\/li>\n<li>root privileges.<\/li>\n<\/ul>\n<p>Let\u2019s continue with creating the user<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>2.Creating new user<\/strong><\/span><\/p>\n<p>To create the su user and disable ssh root login from outside world, follow the below steps.<\/p>\n<pre>#adduser webhost\r\n[root@coimbatorewebhosting~]# adduser webhost\r\n[root@coimbatorewebhosting~]# passwd webhost\r\nChanging password for user webhost.\r\nNew password:\r\nRetype new password:\r\npasswd: all authentication tokens updated successfully.<\/pre>\n<p>If you want to give a super user access to existing user, just add the user to group file.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>3.Adding the user to wheel group<\/strong><\/span><\/p>\n<p>Now, we need to add the user to \u201cwheel\u201d group to make the user as a \u201csu\u201d user. edit \/etc\/group file to add it.<\/p>\n<pre># nano \/etc\/group<\/pre>\n<p>Normal, output of group file will be as follows<\/p>\n<pre>GNU nano 2.3.1 File: \/etc\/group\r\n\r\nroot:x:0:\r\nbin:x:1:\r\ndaemon:x:2:\r\nsys:x:3:\r\nadm:x:4:\r\ntty:x:5:\r\ndisk:x:6:\r\nlp:x:7:\r\nmem:x:8:\r\nkmem:x:9:\r\nwheel:x:10:\r\ncdrom:x:11:\r\nmail:x:12:postfix\r\nman:x:15:\r\ndialout:x:18:\r\nfloppy:x:19:\r\ngames:x:20:\r\ntape:x:30:\r\n. . . \r\n. . .<\/pre>\n<p>After adding the user to the \u201cwheel\u201d group, save the file and confirm that the user was added to \u201cwheel\u201d group using the following command.<\/p>\n<pre># cat \/etc\/group | grep wheel<\/pre>\n<p>You can confirm it by the following output<\/p>\n<pre>[root@coimbatorewebhosting~]# cat \/etc\/group | grep wheel\r\nwheel:x:10:webhost\r\n[root@coimbatorewebhosting~]#<\/pre>\n<p><span style=\"text-decoration: underline;\"><strong>4.Disabling direct Root access<\/strong><\/span><\/p>\n<p>By editing the \/etc\/ssh\/sshd_config file and uncomment the \u201cPermitRootLogin\u201d to \u201cno\u201d to disable the direct ssh root login.<\/p>\n<pre># nano \/etc\/ssh\/sshd_config<\/pre>\n<p>Output of sshd_config file be like:<\/p>\n<pre># $OpenBSD: sshd_config,v 1.100 2016\/08\/15 12:32:04 naddy Exp $\r\n\r\n# This is the sshd server system-wide configuration file. See\r\n# sshd_config(5) for more information.\r\n\r\n# This sshd was compiled with PATH=\/usr\/local\/bin:\/usr\/bin\r\n\r\n# The strategy used for options in the default sshd_config shipped with\r\n# OpenSSH is to specify options with their default value where\r\n# possible, but leave them commented. Uncommented options override the\r\n# default value.\r\n\r\n# If you want to change the port on a SELinux system, you have to tell\r\n# SELinux about this change.\r\n# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER\r\n#\r\n#Port 22\r\n#AddressFamily any\r\n#ListenAddress 0.0.0.0\r\n#ListenAddress ::\r\n\r\nHostKey \/etc\/ssh\/ssh_host_rsa_key\r\n#HostKey \/etc\/ssh\/ssh_host_dsa_key\r\nHostKey \/etc\/ssh\/ssh_host_ecdsa_key\r\nHostKey \/etc\/ssh\/ssh_host_ed25519_key\r\n\r\n# Ciphers and keying\r\n#RekeyLimit default none\r\n\r\n# Logging\r\n#SyslogFacility AUTH\r\nSyslogFacility AUTHPRIV\r\n#LogLevel INFO\r\n\r\n# Authentication:\r\n\r\n#LoginGraceTime 2m\r\nPermitRootLogin no\r\n#StrictModes yes\r\n#MaxAuthTries 6\r\n#MaxSessions 10\r\n\r\n#PubkeyAuthentication yes\r\n\r\n# The default is to check both .ssh\/authorized_keys and .ssh\/authorized_keys2\r\n# but this is overridden so installations will only check .ssh\/authorized_keys\r\nAuthorizedKeysFile .ssh\/authorized_keys\r\n\r\n#AuthorizedPrincipalsFile none\r\n\r\n#AuthorizedKeysCommand none\r\n#AuthorizedKeysCommandUser nobody\r\n\r\n. . .\r\n\r\n. . .<\/pre>\n<p>Once the modification was done as above, restart the ssh service using<\/p>\n<p>You can also modify the<a href=\"https:\/\/www.ssh.com\/ssh\/port\" rel=\"nofollow noopener\" target=\"_blank\"> ssh port<\/a> number for additional security, click here<\/p>\n<pre># systemctl restart sshd.service<\/pre>\n<p><span style=\"text-decoration: underline;\"><strong>5.Login Directly via root user<\/strong><\/span><\/p>\n<p>Now, let try to login the server via root user to check whether it\u2019s login directly root or not.<\/p>\n<pre>Using username \"root\".\r\nroot@103.12.211.150's password:\r\nAccess denied\r\nroot@103.12.211.150's password:<\/pre>\n<p>Yes, It is not allowing to login directly as root, so we are in right path.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>6.Login via \u201csu\u201d user<\/strong><\/span><\/p>\n<p>Now, try to login the server with su user and successfully login to server.<\/p>\n<p>Using username \"webhost\".<\/p>\n<pre>webhost@103.12.211.150's password:\r\n[webhost@coimbatorewebhosting~]$ su -\r\nPassword:\r\n\r\nLast login: Tue Dec 26 12:07:39 EET 2017 from 182.13.23.38\r\n[root@coimbatorewebhosting~]#<\/pre>\n<p>Yes, now we can able to login to the server using su user.<\/p>\n<p>To know about SSH commands used in server <a href=\"https:\/\/www.coimbatorewebhosting.com\/blog\/commands-used-in-ssh-to-view-disk-size-and-usage-in-server-dedicated-vps\/\">click here.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Disabling SSH Root Login and Permitting through \u201csu\u201d user in Linux Does everyone knows, nowadays we have facing number of Hacking attempts. Especially in linux servers,\u00a0 we need to enable\/disable some components to prevent those kind of hacking attempts. By default the root user is enabled in linux server and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":944,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[17,3],"tags":[67,66],"class_list":["post-921","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","category-linux","tag-authentication","tag-sshd_config"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/coimbatorewebhosting.com\/blog\/wp-content\/uploads\/2018\/05\/disable-root-ssh-login-whm.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pa2YU7-eR","_links":{"self":[{"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/posts\/921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/comments?post=921"}],"version-history":[{"count":0,"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/posts\/921\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/media\/944"}],"wp:attachment":[{"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/media?parent=921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/categories?post=921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coimbatorewebhosting.com\/blog\/wp-json\/wp\/v2\/tags?post=921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}