Disabling direct root login and Permitting through “su” user in Linux
Does everyone knows, nowadays we have facing number of Hacking attempts. Especially in linux servers, we need to enable/disable some components to prevent those kind of hacking attempts. By default the root user is enabled in linux server and it is not recommended. For a security measure we have to disable the direct root access and permit via su user.
From this post, we are going to see how to secure our server’s SSH login with additional security.
- CentOS 7.3 (Operating system used here)
- root privileges.
Let’s continue with creating the user
2.Creating new user
To create the su user and disable ssh root login from outside world, follow the below steps.
[root@webhostingchennai ~]# adduser webhost [root@webhostingchennai ~]# passwd webhost Changing password for user webhost. New password: Retype new password: passwd: all authentication tokens updated successfully.
If you want to give a super user access to existing user, just add the user to group file.
3.Adding the user to wheel group
Now, we need to add the user to “wheel” group to make the user as a “su” user. edit
/etc/group file to add it.
# nano /etc/group
Normal, output of group file will be as follows
GNU nano 2.3.1 File: /etc/group root:x:0: bin:x:1: daemon:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mem:x:8: kmem:x:9: wheel:x:10: cdrom:x:11: mail:x:12:postfix man:x:15: dialout:x:18: floppy:x:19: games:x:20: tape:x:30: . . . . . .
After adding the user to the “wheel” group, save the file and confirm that the user was added to “wheel” group using the following command.
# cat /etc/group | grep wheel
You can confirm it by the following output
[root@webhostingchennai ~]# cat /etc/group | grep wheel wheel:x:10:webhost [root@webhostingchennai ~]#
4.Disabling direct Root access
By editing the
/etc/ssh/sshd_config file and uncomment the “PermitRootLogin” to “no” to disable the direct ssh root login.
# nano /etc/ssh/sshd_config
Output of sshd_config file be like:
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody . . . . . .
Once the modification was done as above, restart the ssh service using
You can also modify the ssh port number for additional security, click here
# systemctl restart sshd.service
5.Login Directly via root user
Now, let try to login the server via root user to check whether it’s login directly root or not.
Using username "root". email@example.com's password: Access denied firstname.lastname@example.org's password:
Yes, It is not allowing to login directly as root, so we are in right path.
6.Login via “su” user
Now, try to login the server with su user and successfully login to server.
Using username "webhost". email@example.com's password: [webhost@webhostingchennai ~]$ su - Password: Last login: Tue Dec 26 12:07:39 EET 2017 from 18.104.22.168 [root@webhostingchennai ~]#
Yes, now we can able to login to the server using su user.