The goal is to remove the exposure of our server to root access attempts via ssh. Because on the Internet, some servers used by hackers, do automatic scans and target the ssh root access.

Our use of fail2ban (voir l’article) allows us to detect repeated and failed ssh access attempts on the server. The IP at the origin of these attempts is then blocked for a defined time. But this does not prevent the server to ssh connection attempts as root user.

A good practice is to remove root access and add a non-root user to the server.

In what follows we will work on a CentOS 7 distribution, from one distribution to another, you will have no or very little difference on these manipulations.

The steps to follow in order:

Creation of the “simple” user, e.g. teambichon

useradd teambichon
passwd teambichon

Then we will add this user to the “sudo” users.

Open the file /etc/sudoers using the visudo editor (this editor is important because when you exit it it performs a syntax check) :

visudo

Then add the 2 following lines at the bottom of the file:

Defaults rootpw
teambeachon    ALL=(ALL)    ALL

From a local terminal, test the ssh connection with the teambichon user we just created.

Then test the switch to root with:

su

If everything is OK then stay as root and edit the ssh conf and set the PermitRootLogin setting to no.

vim /etc/ssh/sshd_config
PermitRootLogin no
PermitEmptyPasswords no
Match Address 192.168.3.2
    PermitRootLogin without-password
Match all

systemctl restart sshd

For example here Match Address 192.168.3.2 allows this private ip to connect via a public rsa key (without password).

The Match Address 192.168.3.2 clause must necessarily end with Match all.

Match Address is only useful when you want to specify exceptions. For example here the private machine with IP 192.168.3.2 (on the same LAN as our machine) is allowed to connect as root to our machine by ssh.

Partager sur les réseaux