Root SSH login on the servers should be disabled to protect the servers from unauthorized access. Root login should be enabled through the console only. If you need root user access to run a script or execute a command then you need to login first through your user and then switch to the root user. Here it is shown that how you can secure your Red Hat Enterprise Linux (RHEL) systems by restricting the root user SSH login to console only.
Disable root SSH Login in Linux (RHEL):
- Login as a root user on the server
- Edit the file /etc/ssh/sshd_config as shown below:
[root@TestServer ~]# vi /etc/ssh/sshd_config . . # Authentication: #LoginGraceTime 2m #PermitRootLogin Yes #StrictModes yes #MaxAuthTries 6 . .
Change the line #PermitRootLogin yes to PermitRootLogin no and save the file.
After changing the line Authentication block will look like below
.
.
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
.
.
- These changes will come into effect when the ssh service will be restarted. To restart the ssh service, use any command shown below:
[root@TestServer ~]# /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] OR [root@TestServer ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
- Now, you will not be allowed to ssh this server as a root user. It will show the access denied as shown below:
login as: root Using keyboard-interactive authentication. Password: Access denied
Create a new user in Linux and switch to root whenever required:
- Create a new user in Linux, here I have created a user dbappweb and changed the password of the user
[root@TestServer ~]# useradd dbappweb [root@TestServer ~]# passwd dbappweb Changing password for dbappwebl New password: Re-enter new password: Passwd successfully changed
- Now login through user dbappweb and after that switch to the root user.
login as: dbappweb dbappweb@10.10.0.10's password: Last login: Thu Jul 20 10:04:40 2017 from 172.10.10.11 [dbappweb@TestServer ~]$ su - root Password: [root@TestServer ~]#
Note: I have done the above steps on the RHEL 5.8.
No Responses