Howto disable direct root login and secure ssh

From KhoLiX Wiki

Contents 1 Initial 2 sshd Configuration 3 pam su Configuration 4 Allow wheel to sudoer 5 Restart sshd 6 On Kholix VPS and Dedicated Server 7 Related Articles

[edit] Initial

• To disable direct root login through ssh protocol, first you have to create one account which will be a system administrator.
• Try NOT to assign this user for web or http document root. [Optional]
• Try to disable httpd userdir for this user if you have turned on mod_userdir for Apache httpd server. [Optional]
• For this example, let assume mgaye as system administrator.
• Add new account mgaye and assing to wheel group as secondary.

/usr/sbin/useradd -G wheel -c "Mg Aye" -m mgaye

[edit] sshd Configuration

• ssh config file is under /etc/sshd_config and use any editor to change these values.
• Find

#Protocol 2,1

• Un-comment and/or Change to

Protocol 2

• Find

#PermitRootLogin yes

• Un-comment and/or Change to

PermitRootLogin no

• Find

#LoginGraceTime 2m

• Un-comment and/or Change to

LoginGraceTime 300

• Find

X11Forwarding yes

• Un-comment and/or Change to

X11Forwarding no

• Find

#UseLogin no

• Un-comment and/or Change to

UseLogin no

[edit] pam su Configuration

• su configuration is under /etc/pam.d/su and use any editor to change these values.

#auth  required /lib/security/pam_wheel.so use_uid

• Un-comment and/or Change to

auth  required /lib/security/pam_wheel.so use_uid

[edit] Allow wheel to sudoer

/usr/sbin/visudo

• Find the following line.

#%wheel	ALL=(ALL)	ALL

• Un-comment and/or Change to

%wheel	ALL=(ALL)	ALL

[edit] Restart sshd

• Before restarting sshd, you have to make sure that every single modification is in right hand.
• Any single mistake, you will fail to su root.

/usr/sbin/service sshd restart

[edit] On Kholix VPS and Dedicated Server

• You can request support ticket for this configuration.
• Please include system administrator name.

[edit] Related Articles

• SSH