Linux Tip: Tighten Up Security And Disable SSH Login For Root Account

2

linuxlogo.jpgOverall, out of the box Linux distributions including Ubuntu, are pretty secure. But that doesn't mean you should ignore tightening up security even further.

One security tweak you need to consider is with Open-SSH server. By default, direct logon for root is enabled, which means your just asking for trouble with hackers attempting to break into your Computer.

Instead, you can easily disable root access from logging into your SSH server, while still being able to access root after logon. While your at it, you can even increase security further, by allowing only certain users login access to SSH.

Obviously, you need to have Open-SSH installed and running. If SSH is not installed on your system, just run the following command from a Terminal window:

sudo apt-get install ssh

When prompted, enter your password, and answer yes if any packages need to be installed or upgraded.

Once installation has completed, test connecting and logging on to SSH (answer yes to accept the key).

Disable Root Access

Now that SSH is installed (if it wasn't), you'll need to edit the sshd_config file by pressing Alt+F2 to open the run window, and enter the following command if you are using GNOME…

gksu gedit /etc/ssh/sshd_config

sshroot2.png

…or for Kubuntu:

kdesu kate /etc/ssh/sshd_config

If prompted, enter your password to proceed.

(NOTE: Alternatively you can use VI or VIM to edit sshd_config).

Once gedit or kate opens, scroll down until you see the following section…

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

…then modify PermitRootLogin as shown below:

PermitRootLogin no

This will disable root's access to logon via SSH. Save the file and exit gedit.

Now you'll need to restart the sshd service from a Terminal window using the following command:

/etc/init.d/sshd restart

After restarting SSH, try to connect using the root account. Access should be disallowed and you should only be able to log on with your user account. Once you do login, you can access the root account by using the su command.

Now that root access is disabled, why stop there with securing SSH?

Decrease SSH Login Grace Time

Another security option you may want to consider, is to lower the LoginGraceTime parameter to about 30 seconds.

LoginGraceTime 30

The login grace time is a period of time where a user may be connected but has not begun the authentication process. By default, sshd will allow a connected user to wait 120 seconds (2 minutes) before starting to authenticate.

By shortening this time, you can decrease the chances of someone attempting a brute force attack against your SSH server from being successfull.

Allow Certain Users SSH Access

By default, SSH will permit every user with an account SSH access. To prevent this, you can use the AllowUsers command to allow access to certain users.

To do this, add the following line in your sshd configuration file under the Authentication section.

AllowUsers breid jmathon

This will allow only users breid and jmathon access to login via SSH.

After making the above changes, save the file sshd_config and close gedit. To allow the changes to become effective immediately, don't forget to restart SSH by running the following command from a Terminal window:

/etc/init.d/sshd restart

By making these simple changes to your SSH configuration, it will allow you to increase security by opening up access to your computer for authorized users…and closing the door on hackers.

Comments on Linux Tip: Tighten Up Security And Disable SSH Login For Root Account Leave a Comment

February 20, 2010

Randy @ 5:05 pm #

Hi,

When trying to apply the method for further security with "sudo apt-get install ssh", I get the following:

E: Could not get lock /var/lib/dpkg/lock – open (11: Resource temporarily unavailable)
E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?

What should I do at this point to continue with securing the Open-SSH Access?

Prior to attempting this I had already installed "Firestarter" and ClamAV." Don't know if this is the problem or not.

I am completely brand new to Linux Ubuntu, so this is foreign for me.

Thank you for the help,

Randy

February 7, 2011

fbsduser @ 10:23 pm #

Hi. How would I perform this changes in Gentoo and OSX? Is ssh in the Mac App Store (the package manager that comes in OSX 10.6.6 and 10.7)?

Leave a Comment

Fields marked by an asterisk (*) are required.

Subscribe without commenting