The most important steps to secure
your server is to disable the direct root login and create a dedicated SSH
user. Enabling direct root login may help the hackers to login your server very
easily. Never login as root user for that reason. You should use sudo to
execute root level commands. By using sudo we can greatly enhance the security
of the system without sharing root password with other users and admins. It
provides simple auditing and tracking features too.
Here we can discuss about how to
disable direct root login and how to create a dedicated SSH user.
Disable direct root login
Please note that you do not log out
from your system after disabling the direct root login. Follow the steps until
you create a dedicated SSH user and then you can log out. Otherwise you will
not be able to login to your system again. Please be careful about this.
Root user is the one who has the
ability to do anything in your system. Imagine if someone got access to your
root user account?! Let’s disable direct root login by using the below steps.
Edit the SSH main configuration page
vi /etc/ssh/sshd_config
There you can find the below line.
#PermitRootLogin yes
Change it as below.
PermitRootLogin no
Restart SSH service to update the
changes.
/etc/init.d/sshd restart
Now you have disabled direct root
login. Please follow the below steps to create a dedicated SSH user.
Create dedicated SSH user
After disabling the direct root
login, you need to create a dedicated SSH user. (Only this user will have SSH
login permission in your system.)
We are going to create a dedicated
user called “isusr” Please follow the below steps.
Create the user account.
useradd isusr
Set Password for the user.
passwd isusr
Add this user to “/etc/sudoers”
file. Simply edit this file or run the below command.
visudo
Here you can find a line as shown
below.
root
ALL=(ALL) ALL
The above line means root user can
run any commands anywhere. Add the given below line under this line.
isusr
ALL=(ALL) ALL
Now save the file.
From now on, the user “isusr” have
the permission to run any commands anywhere. For this to work you have to add
“sudo” to the beginning of every command that you execute as user “isusr”.
For example, if you are logged in as
“isusr” and want to restart MySQL. You have to do it as shown below.
sudo /etc/init.d/mysql restart
You can also switch this user to
root user. For this please run the below command.
sudo su –
Now you have disabled direct root
login and created a user called “isusr” with full permission in your system.
This does not mean “isusr” is a dedicated SSH user. There maybe other users in
your system that have SSH shell access. Please follow the below steps to block
all those users and to set “isusr” as dedicated SSH user.
Edit the SSH main configuration
file.
vi /etc/ssh/sshd_config
Add the below lines.
AllowUsers isusr
Save the file and restart SSH
service to update these changes.
/etc/init.d/sshd restart
Now you have created a dedicated SSH
user.
No comments:
Post a Comment