The goal is to remove the exposure of our server to root access attempts via ssh. Because on the Internet, some servers used by hackers, do automatic scans and target the ssh root access.
Our use of fail2ban (voir l’article) allows us to detect repeated and failed ssh access attempts on the server. The IP at the origin of these attempts is then blocked for a defined time. But this does not prevent the server to ssh connection attempts as root user.
A good practice is to remove root access and add a non-root user to the server.
In what follows we will work on a CentOS 7 distribution, from one distribution to another, you will have no or very little difference on these manipulations.
The steps to follow in order:
Creation of the “simple” user, e.g. teambichon
useradd teambichon passwd teambichon
Then we will add this user to the “sudo” users.
Open the file /etc/sudoers using the visudo editor (this editor is important because when you exit it it performs a syntax check) :
visudo
Then add the 2 following lines at the bottom of the file:
Defaults rootpw teambeachon ALL=(ALL) ALL
From a local terminal, test the ssh connection with the teambichon user we just created.
Then test the switch to root with:
su
If everything is OK then stay as root and edit the ssh conf and set the PermitRootLogin setting to no.
vim /etc/ssh/sshd_config
PermitRootLogin no
PermitEmptyPasswords no
Match Address 192.168.3.2
PermitRootLogin without-password
Match all
systemctl restart sshd
For example here Match Address 192.168.3.2 allows this private ip to connect via a public rsa key (without password).
The Match Address 192.168.3.2 clause must necessarily end with Match all.
Match Address is only useful when you want to specify exceptions. For example here the private machine with IP 192.168.3.2 (on the same LAN as our machine) is allowed to connect as root to our machine by ssh.
Leave a Reply