Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
deny root remote login to ssh

why would you do this ? well everyone knows that 'root' (the username) is the admin of your box, so by denying 'root' remote access to ssh into your box you are making it just a wee bit harder for the hackers to get into your box since now they will have to guess a username on your box.


1. As root,

vi /etc/ssh/sshd_config


2. In there find (or create) a line that reads


Quote:# Authentication:#LoginGraceTime 120

PermitRootLogin no

#StrictModes yes

The line PermitRootLogin no is the important one. Note there is no # in front of it.


3. Once you have made thos changes, save the file (esc then :wq).


4. Restart sshd (service sshd restart).


With this line root cannot ssh into the box. To become root, ssh in as a normal user then use su - to become root once logged in.





nice tip thanks. for anyone that makes silly mistakes like me, typing No instead of no caused an error when i tried to restart ssh. once i changed it, restart went fine.

Having your sshd die on you is scary.. so if you are working on remote boxen, always run a usermode sshd on port 4000 or something as a spare in case something goes wrong... or webmin or something..



Something that I do with my sshd_config...



#Port 22
Protocol 2
#ListenAddress ::



change from Protocol 2,1 because having it has 2,1 doesn't necessarily mean 1 is a fallback method; ie sshd might just negotiate 1 first up which is just nasty. so make sure your box does not support telnet or ssh 1.

I make it listen on a single ip address thats unused from other services.. this helps to segregate services or if you want to tcp wrapper the service.


Also some other neat settings


AllowUsers dallas, anyweb
DenyUsers www, oracle, daemon, ftpd, spamd


and other popular system accounts (who in most cases have their shell set to /bin/false)





hmm, i've tried this


AllowUsers test, anyweb
DenyUsers www, oracle, daemon, ftpd, spamd


and i cannot login as user 'test' i always get permission denied, i can login as user 'anyweb' though, yes i've restarted sshd.


if i remove either anyweb or the test user (from the allowusers) and restart sshd then i can ssh in as that person no problem, so what is the issue ?






AllowUsers - if specified .. login is allowed ONLY for the usernames that match the patterns you set there SEPARATED BY SPACES <-- :)


Manpages rock



AllowUsers test anyweb  user? users*


No need to deny, as it will ONLY allow those...


Or you can:

DenyUsers test anyweb user? users*


Accept all users EXCEPT those in deny users.


Use one or the other.


good stuff thanks znx and jy in IRC


so for others out there the correct format is


AllowUsers test anyweb
DenyUsers www oracle daemon ftpd spamd





Is there a way to deny SHH from an address range? On in that case only allow it?


I have direct login disabled, and I have another user with ssh enabled.(in cpanel) However there is one more step I need to do I think... [~]# su -

-bash: /bin/su: Permission denied [~]# su-

-bash: su-: command not found


Quote:Is there a way to deny SHH from an address range? On in that case only allow it?

Yes there is, ssh respects the /etc/hosts.allow and /etc/hosts.deny.


For instance:


$ cat /etc/hosts.deny
$ cat /etc/hosts.allow
# Allow localhost, my local LAN, my work
ALL: .home EXPECT voyager.home


That setup says:

DENY, ALL services from ALL hosts.

ALLOW, ALL services from

ALLOW, ALL services matching .home EXCEPT voyager.home (my lan).

ALLOW, SSHD service, from matching (my work).


You can look up for more interesting tricks with hosts.allow and hosts.deny.


Forum Jump:

Users browsing this thread: 1 Guest(s)