The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to disable direct root login ?

Discussion in 'General Discussion' started by billau, Jul 31, 2004.

  1. billau

    billau Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane, Australia
    For that you need to do few different changes to the SSH config file, in this howto we will disable direct root login, disable SSH1(A Buggy SSH protocol).

    Disabling direct root login will force a hacker to have to gain access to two seperate passwords to SSH into your server.

    First, Set up the admin account if you haven't already got one:

    groupadd admin
    useradd admin -gadmin


    Create a password for the new account.

    passwd admin

    On a CPanel system, you can now go into root WHM and add anotheruser to the wheel group, or use your favorite editor to put "admin" in the wheel group by editing /etc/group

    Now, SSH into your server as admin and gain root access by typing:

    su -

    Next, use your favorite editor to edit /etc/ssh/sshd_config, assuming you are using pico, type:

    pico -w /etc/ssh/sshd_config

    Find the line:

    #Protocol 2, 1
    Uncomment it and change it to look like:

    Protocol 2

    Next, find the line:

    #PermitRootLogin yes

    Uncomment it and make it look like:

    PermitRootLogin no

    Now, save the file, with perl you would press CTRL+x, then y then enter to save the file.

    Restart SSH by issueing this command:

    /etc/rc.d/init.d/sshd restart

    And if you like to disable 'su' you can use 'chmod 750 /bin/su'
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's a good idea, but again you've missed out some crucial steps here:

    Problem 1:
    No, it really doesn't. It just slows them down a little bit. Most hackers who have gained access to a non-root account is more likely to look for a local root vulnerability. They are also at a distinct advantage for running a dictionary attack against your root password being on the server, than doing so remotely. If you have procedures running that check for bad login attempts, then you can firewall such attempts before they get started. If a hacker gains access through a non-root account and then performs a dictionary attack on the root account, those will not come into play, and they are liable to crack it more easily.

    I'm not saying don't do it - but don't get a false sense of security, thinking it will make it twice as hard to break in.

    Problem 2:
    You should state that you should never ever log out of your SSH session once you restart SSHD. You should always open a new session first and make sure you can login and get to root. If you can't, you then at least still have an opportunity to fix it.

    Alternatively, you could open up telnet for the short period that you want to restart SSHD and make sure you login via it first, then change your root password.

    Better suggestions, IMHO, than disabling root SSH access are to:

    1. Use secure passwords (lower/upper case letters, numerics and non-alphanumeric characters) and change them at least monthly.

    2. Don't use port 25, use a completely different (not already used) random port that only you know.

    For the ultimate in SSH security, consider Port Knocking:
    http://www.portknocking.org/
     
  3. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    You were just checking to make sure we were paying attention right? :)

    We know you have mail delivery running through your veins :p
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Oops :eek: Thank you for spotting that. I'd go back and correct it, but, well, you need to leave some bit of initiative :)
     
  5. jeffheld

    jeffheld Active Member

    Joined:
    Jan 7, 2004
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    financial capital
    and stop using usernames like "admin"
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed, especially with the current skiddie script doing that rounds that attacks admin, test, and guest - other names never to have in your /etc/passwd/
     
  7. jeffheld

    jeffheld Active Member

    Joined:
    Jan 7, 2004
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    financial capital
    trust noone! but root
     
  8. ISNScott

    ISNScott Member

    Joined:
    Jul 16, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    everyone attempts to crack the username admin and the username guest dont ask why, i got lots of them from bfd
     
  9. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    I have a problem, I set this up but I when I log back in I tried su -l and it gave me a "permissions denied" error.

    I never chmodded it to 750 either.

    How can I fix this now?
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You need to login to WHM and add the user you want to su from into the wheel group under Manage Wheel Group Users
     
Loading...

Share This Page