{"id":103,"date":"2019-11-21T16:46:30","date_gmt":"2019-11-21T11:16:30","guid":{"rendered":"https:\/\/chennaiwebhosting.in\/blog\/?p=103"},"modified":"2019-11-21T16:52:53","modified_gmt":"2019-11-21T11:22:53","slug":"permitting-ssh-login-through-su-user-in-centos","status":"publish","type":"post","link":"https:\/\/chennaiwebhosting.in\/blog\/permitting-ssh-login-through-su-user-in-centos\/","title":{"rendered":"Permitting SSH login through su user in CentOs"},"content":{"rendered":"<p>Disabling direct root login and Permitting through \u201csu\u201d user in Linux<\/p>\n<p>Does everyone knows, nowadays we have facing number of Hacking attempts. Especially in linux servers,\u00a0 we need to enable\/disable some components to prevent those kind of hacking attempts. By default the root user is enabled in linux server and it is not recommended. For a security measure we have to disable the direct root access and permit via su user.<\/p>\n<p>From this post, we are going to see how to secure our server\u2019s SSH login with additional security.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/chennaiwebhosting.in\/blog\/permitting-ssh-login-through-su-user-in-centos\/#1Prerequisites\" >1.Prerequisites<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/chennaiwebhosting.in\/blog\/permitting-ssh-login-through-su-user-in-centos\/#2Creating_new_user\" >2.Creating new user<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/chennaiwebhosting.in\/blog\/permitting-ssh-login-through-su-user-in-centos\/#3Adding_the_user_to_wheel_group\" >3.Adding the user to wheel group<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/chennaiwebhosting.in\/blog\/permitting-ssh-login-through-su-user-in-centos\/#4Disabling_direct_Root_access\" >4.Disabling direct Root access<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/chennaiwebhosting.in\/blog\/permitting-ssh-login-through-su-user-in-centos\/#5Login_Directly_via_root_user\" >5.Login Directly via root user<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/chennaiwebhosting.in\/blog\/permitting-ssh-login-through-su-user-in-centos\/#6Login_via_%E2%80%9Csu%E2%80%9D_user\" >6.Login via \u201csu\u201d user<\/a><\/li><\/ul><\/nav><\/div>\n<h4 id=\"prerequisites\" class=\"fittexted_for_content_h4\"><span class=\"ez-toc-section\" id=\"1Prerequisites\"><\/span>1.Prerequisites<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>CentOS 7.3 (Operating system used here)<\/li>\n<li>root privileges.<\/li>\n<\/ul>\n<p>Let\u2019s continue with creating the user<\/p>\n<h4 class=\"fittexted_for_content_h4\"><span class=\"ez-toc-section\" id=\"2Creating_new_user\"><\/span>2.Creating new user<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>To create the su user and disable ssh root login from outside world, follow the below steps.<\/p>\n<pre>#adduser webhost<\/pre>\n<pre>[root@webhostingchennai ~]# adduser webhost\r\n[root@webhostingchennai ~]# passwd webhost\r\nChanging password for user webhost.\r\nNew password:\r\nRetype new password:\r\npasswd: all authentication tokens updated successfully.\r\n<\/pre>\n<p>If you want to give a super user access to existing user, just add the user to group file.<\/p>\n<h4 class=\"fittexted_for_content_h4\"><span class=\"ez-toc-section\" id=\"3Adding_the_user_to_wheel_group\"><\/span>3.Adding the user to wheel group<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Now, we need to add the user to \u201cwheel\u201d group to make the user as a \u201csu\u201d user. edit\u00a0<code>\/etc\/group<\/code>\u00a0file to add it.<\/p>\n<pre># nano \/etc\/group<\/pre>\n<p>Normal, output of group file will be as follows<\/p>\n<pre>GNU nano 2.3.1 File: \/etc\/group\r\n\r\nroot:x:0:\r\nbin:x:1:\r\ndaemon:x:2:\r\nsys:x:3:\r\nadm:x:4:\r\ntty:x:5:\r\ndisk:x:6:\r\nlp:x:7:\r\nmem:x:8:\r\nkmem:x:9:\r\nwheel:x:10:\r\ncdrom:x:11:\r\nmail:x:12:postfix\r\nman:x:15:\r\ndialout:x:18:\r\nfloppy:x:19:\r\ngames:x:20:\r\ntape:x:30:\r\n. . . \r\n. . .\r\n<\/pre>\n<p>After adding the user to the \u201cwheel\u201d group, save the file and confirm that the user was added to \u201cwheel\u201d group using the following command.<\/p>\n<pre># cat \/etc\/group | grep wheel<\/pre>\n<p>You can confirm it by the following output<\/p>\n<pre>[root@webhostingchennai ~]# cat \/etc\/group | grep wheel\r\nwheel:x:10:webhost\r\n[root@webhostingchennai ~]#\r\n<\/pre>\n<h4 class=\"fittexted_for_content_h4\"><span class=\"ez-toc-section\" id=\"4Disabling_direct_Root_access\"><\/span>4.Disabling direct Root access<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>By editing the\u00a0<code>\/etc\/ssh\/sshd_config<\/code>\u00a0file and uncomment the \u201c<em>PermitRootLogin<\/em>\u201d to \u201c<em>no<\/em>\u201d to disable the direct ssh root login.<\/p>\n<pre># nano \/etc\/ssh\/sshd_config<\/pre>\n<p>Output of sshd_config file be like:<\/p>\n<pre># $OpenBSD: sshd_config,v 1.100 2016\/08\/15 12:32:04 naddy Exp $\r\n\r\n# This is the sshd server system-wide configuration file. See\r\n# sshd_config(5) for more information.\r\n\r\n# This sshd was compiled with PATH=\/usr\/local\/bin:\/usr\/bin\r\n\r\n# The strategy used for options in the default sshd_config shipped with\r\n# OpenSSH is to specify options with their default value where\r\n# possible, but leave them commented. Uncommented options override the\r\n# default value.\r\n\r\n# If you want to change the port on a SELinux system, you have to tell\r\n# SELinux about this change.\r\n# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER\r\n#\r\n#Port 22\r\n#AddressFamily any\r\n#ListenAddress 0.0.0.0\r\n#ListenAddress ::\r\n\r\nHostKey \/etc\/ssh\/ssh_host_rsa_key\r\n#HostKey \/etc\/ssh\/ssh_host_dsa_key\r\nHostKey \/etc\/ssh\/ssh_host_ecdsa_key\r\nHostKey \/etc\/ssh\/ssh_host_ed25519_key\r\n\r\n# Ciphers and keying\r\n#RekeyLimit default none\r\n\r\n# Logging\r\n#SyslogFacility AUTH\r\nSyslogFacility AUTHPRIV\r\n#LogLevel INFO\r\n\r\n# Authentication:\r\n\r\n#LoginGraceTime 2m\r\nPermitRootLogin no\r\n#StrictModes yes\r\n#MaxAuthTries 6\r\n#MaxSessions 10\r\n\r\n#PubkeyAuthentication yes\r\n\r\n# The default is to check both .ssh\/authorized_keys and .ssh\/authorized_keys2\r\n# but this is overridden so installations will only check .ssh\/authorized_keys\r\nAuthorizedKeysFile .ssh\/authorized_keys\r\n\r\n#AuthorizedPrincipalsFile none\r\n\r\n#AuthorizedKeysCommand none\r\n#AuthorizedKeysCommandUser nobody\r\n\r\n. . .\r\n\r\n. . .\r\n<\/pre>\n<p>Once the modification was done as above,\u00a0 restart the ssh service using<\/p>\n<p>You can also modify the ssh port number for additional security,\u00a0<a href=\"http:\/\/www.webhostingchennai.co.in\/blog\/security\/change-ssh-port\/\" rel=\"nofollow noopener\" target=\"_blank\">click here<\/a><\/p>\n<pre># systemctl restart sshd.service<\/pre>\n<h4 class=\"fittexted_for_content_h4\"><span class=\"ez-toc-section\" id=\"5Login_Directly_via_root_user\"><\/span><strong>5.Login Directly via root user<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Now, let try to login the server via root user to check whether it\u2019s login directly root or not.<\/p>\n<pre>Using username \"root\".\r\nroot@103.12.211.150's password:\r\nAccess denied\r\nroot@103.12.211.150's password:\r\n<\/pre>\n<p>Yes, It is not allowing to login directly as root, so we are in right path.<\/p>\n<h4 class=\"fittexted_for_content_h4\"><span class=\"ez-toc-section\" id=\"6Login_via_%E2%80%9Csu%E2%80%9D_user\"><\/span>6.Login via \u201csu\u201d user<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Now, try to login the server with su user and successfully login to server.<\/p>\n<pre>Using username \"webhost\".\r\nwebhost@103.12.211.150's password:\r\n[webhost@webhostingchennai ~]$ su -\r\nPassword:\r\n\r\nLast login: Tue Dec 26 12:07:39 EET 2017 from 182.13.23.38\r\n[root@webhostingchennai ~]#\r\n<\/pre>\n<p>Yes, now we can able to login to the server using su user.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Disabling direct root login and Permitting through \u201csu\u201d user in Linux Does everyone knows, nowadays we have facing number of Hacking attempts. Especially in linux servers,\u00a0 we need to enable\/disable some components to prevent those kind of hacking attempts. By default the root user is enabled in linux server and it is not recommended. For [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":108,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"footnotes":""},"categories":[14,13,1,11],"tags":[37,38,39],"class_list":["post-103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-centos-6-rhel-6","category-centos-7-rhel-7","category-home","category-linux","tag-disabling-direct-root-login","tag-enabling-su-user-in-linux","tag-login-using-su-user-in-linux"],"_links":{"self":[{"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/posts\/103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/comments?post=103"}],"version-history":[{"count":3,"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/posts\/103\/revisions"}],"predecessor-version":[{"id":109,"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/posts\/103\/revisions\/109"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/media\/108"}],"wp:attachment":[{"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/media?parent=103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/categories?post=103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chennaiwebhosting.in\/blog\/wp-json\/wp\/v2\/tags?post=103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}