how can i stop root logging into ssh ? I presume there is a setup file somewhere?
thanks
Hi
On Mon 16-Jan-2006 at 11:19:39AM +0000, Tom Brown wrote:
how can i stop root logging into ssh ? I presume there is a setup file somewhere?
Add this line to /etc/ssh/sshd_config
PermitRootLogin no
Chris
On 1/16/06, Tom Brown tom.brown@goodtechnology.com wrote:
how can i stop root logging into ssh ? I presume there is a setup file somewhere?
man sshd_config will give you details of how to configure sshd.
-- Cheers,
Tony
On Mon, 16 Jan 2006, Tom Brown wrote:
how can i stop root logging into ssh ? I presume there is a setup file somewhere?
man sshd_config
or set PermitRootLogin no
in /etc/ssh/sshd_config
------------------------------------------------------------------------ Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine
In your sshd configfile, you can disable root login:
********************************************* /etc/ssh/sshd_config:
PermitRootLogin no *********************************************
Hope this helps
On Jan 16, 2006, at 5:19 AM, Tom Brown wrote:
how can i stop root logging into ssh ? I presume there is a setup file somewhere?
thanks
In addition to the suggestion on how to turn off root, you may want to also explicitly allow only certain users.
AllowUsers username
To even tighten it down even more.
You wouldn't believe the number of attempts I get on my DSL line to login.
In addition to the suggestion on how to turn off root, you may want to also explicitly allow only certain users.
AllowUsers username
To even tighten it down even more.
You wouldn't believe the number of attempts I get on my DSL line to login.
Alternatively, changing the port, and/or requiring ssh keys for authentication are excellent at eliminating this type of junk.
For the few of you who are reading this and too lazy to type ssh -p XXX hostname, ~/.ssh/config is EXCELLENT for this. add/create a file with an entry like:
Host somename Hostname FQDN.here Port XXX
then you'll be able to do 'ssh somename' and it'll work.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center
I changed the port from 22 to a random high port (> 1024) and disabled root login with passwords in /etc/ssh/sshd_config:
PermitRootLogin without-password
Since doing these, I've had zero problems with dictionary attacks and the like.
I've had a page bookmarked since forever ago, that explains keys: http://mah.everybody.org/docs/ssh
-Ben
On Monday 16 January 2006 07:40, Jim Perrin wrote:
Alternatively, changing the port, and/or requiring ssh keys for authentication are excellent at eliminating this type of junk.
On Mon, 2006-01-16 at 09:30 -0600, Kevin K wrote:
On Jan 16, 2006, at 5:19 AM, Tom Brown wrote:
how can i stop root logging into ssh ? I presume there is a setup file somewhere?
thanks
In addition to the suggestion on how to turn off root, you may want to also explicitly allow only certain users.
AllowUsers username
To even tighten it down even more.
You wouldn't believe the number of attempts I get on my DSL line to login.
There is also an AllowGroups option. I add this:
AllowGroups sshusers
Then I create a group called sshusers and add all users who I want to have ssh access to that group.
I also listen on a different port (like 2345) and not on the standard port 22 (at least not from outside the firewall). You can do this if you have an external firewall (to /etc/sshd_config):
Port 22 Port 2345
Then you can forward port 2345 from the firewall into 2345 on this machine ... and inside the firewall still use normal ssh (port 22) but from outside, you would ssh into 2345.
Hardly ever get scan hits now for ssh.
I am really pissed at myself for doing such a thing but here's what I did. Awhile back, geez, weeks ago now, I put together this amd 64 clawhammer system. I set it up and never adjusted the date to the correct time (year) and after burning it in for bout a week...It was online but I really wasn't doing anything w/it...I would just go to it every now and then just to make sure It was up and that was it.
kk...finally I decided to let it "take the ball"(common ip), and let it do all the serving and syncing up the other 2 centos boxes. Oh my, now what a mess w/all the files it's syncing up w/all the wrong dates...I year back...2005 instead of 2006!!!
I now have 3 centos boxes in total confusion over this file time problem!!!
I feel really ashamed of myself for doing such a thing but I can't be concerned w/that but rather repair all this mess.
I am looking for suggestions on how to repair this mess. My mind is telling me that right now, don't let any of the 3 boxes talk to each other until I got it right again and 1 by one re-install from scratch each of the systems but then, there is still all the /home, /root, mail files, that still have to be reckoned with.
I don't really think that's the way to go...I am thinking of some kind of script to look at access dates and like say everything that was accessed on say, last Jan...change it to jan 06
I really don't know the best approach here.
thx
John Rose
-
Benjamin Smith -
Chris Croome -
Jim Perrin -
Jim Wildman -
Johnny Hughes -
Kevin K -
rado -
Tom Brown -
Tony -
Wim