|
|||
ssh root
Hello
I would like to know How can I disable root access via ssh Bye Last edited by Nk2Network; 6th April 2009 at 08:51 PM. |
|
|||
Here's a patch I run against my new setups (as a part of a larger config script) to disable root SSH, allow only public/private key access (no passwords) and set up a template for when I want to allow a sub contractor SFTP-only access to a chroot directory.
Code:
--- sshd_config~ Wed Jan 28 23:45:17 2009 +++ sshd_config Wed Jan 28 23:47:54 2009 @@ -36,7 +36,7 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes +PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 @@ -56,7 +56,7 @@ #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords @@ -97,10 +97,9 @@ #Banner none # override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server +Subsystem sftp internal-sftp -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server +# Match User ______ +# ForceCommand internal-sftp +# ChrootDirectory /var/www + |
|
|||
sudo use and edit the file /etc/ssh/sshd_conf
Code:
PermitRootLogin yes Code:
change the word yes with no Code:
PermitRootLogin no Code:
kill -HUP `cat /var/run/sshd.pid` apparently its not working Last edited by Nk2Network; 7th April 2009 at 11:45 AM. |
|
|||
Hello
I comprent not I just check my shhd_config Code:
# Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 |
|
||||
You don't seem to have a grasp of English. Please excuse this horrible translation, done by freetranslations.com:
Les lignes qui commence avec "#" sont des commentaires, et sont négligé. Vous devez enlever le "#" si vous souhaitez que la ligne être utilisée par sshd. Le sshd_config dossier montre les réglages implicites de chaque paramètre, mais est commenté. J'espère que ceci vous aide. |
|
|||
changer:
Code:
#PermitRootLogin no Code:
PermitRootLogin no Code:
kill -HUP `cat /var/run/sshd.pid` http://www.freebsd.org/fr/projects/newbies.html Last edited by mwatkins; 7th April 2009 at 05:14 PM. |
|
|||
This user is using OpenBSD, not FreeBSD mwatkins.
We've pointed him toward the french translation of the FAQ before, and it may have benefited him.. but unfortunately the man pages are English only. An understanding of English is simply a requirement at this time, at least until translation efforts start spanning beyond the website. http://www.openbsd.org/fr/index.html http://www.openbsd.org/faq/fr/index.html |
|
|||
Unfortunately even on the FreeBSD "fr" page some of the resources are english only. I provided the link more for "unix for beginners" content than anything *BSD specific.
Regardless of mother tongue if one can't grasp what a comment character is through intuition, the one is going to have a very hard time with any flavour of Unix. |
|
|||
Hello,
Thank you very much for your help, you could see that my language maternal is the french. Same with links in English I can get out, I managed to make the changes how to limit the attempts to brute force SSH ? thank you for your beuacoup |
|
|||
Quick way: I should let someone familiar with OpenBSD answer this but lets assume it is similar to FreeBSD (and most Linuxes), check:
Code:
/etc/hosts.allow # allow a single machine sshd : 123.456.789.012 : allow # allow a range sshd : 123.123.0.0/255.255.0.0 : allow # the last line of hosts.allow should be to deny the rest of the world # deny every other machine in the world sshd : ALL : deny Not so quick: implement your rules in a firewall. Last edited by mwatkins; 7th April 2009 at 10:40 PM. |
|
|||
If you use public key encryption, ignore it.
If you use a weak password, worry. If it annoys you and you want cleaner logs (though not truly more secure server) switch the port number. As for allow/disallow you can do that from within sshd.config as well AllowUsers username or even more restrictive AllowUsers username@IP.Number |
|
|||
I like cleaner logs myself; hosts.allow or a firewall will give you that. Unless a hacker happens to be in the same block of IP's as my office or home, they won't be able to make a connection to port 22 or even be aware that it is there behind the wall.
Good point re public key vs password auth - I admit to just assuming no one would do otherwise. One of the big web hosting sites is down right now - hacked, credit cards stolen, because (if I have the story straight) of a weak password the authors of vbulletin had on the system. The hacker destroyed database records; Webhostingtalk.com had just got back on its feet again more or less when today the hacker proved to them that he had credit card data from their servers. Down again. Moral of the story: don't use weak passwords; don't use passwords if public key is a viable alternative; don't use the same password for your on-line community accounts as you do for managing services, servers, and software. Last edited by mwatkins; 8th April 2009 at 12:29 AM. |
|
||||
You can use OpenBSD's Packet Filter, PF, to limit brute force attacks. See Stateful Tracking Options in http://www.openbsd.org/faq/pf/filter.html
See overload and flush. Vous pouvez utiliser le Filtre de Paquet d'OpenBSD, PF, limiter les assauts de force brutaux. Voir Options de Suivi Stateful dans http://www.openbsd.org/faq/pf/fr/filter.html Voir overload et flush. |
|
||||
By the way, you can translate almost any web page into French. Including this one. I like http:///translate.google.com, but there are others.
http://translate.google.com/translat...67&sl=en&tl=fr En passant, vous pouvez traduire n'importe quelle page Web presque en français. Dont celle-ci. J'aime http:///translate.google.com, mais il en existe d'autres. |
|
|||
Note; please don't use web translators to turn French into English.. the majority of the translations are incomprehensible and simply serve to confuse people attempting to help you.
|
|
|||
Quote:
Sorry for hijacking. |
|
|||
Hello
I can add directly to my pf.conf the following rule Code:
table persist block in quick from pass in quick on $external inet proto tcp from any to any port ssh flags S/SA keep state ( max-src-conn-rate 4/60 ,overload flush global) |
|
||||
Quote:
Quote:
Code:
table <bad-people> persist block in quick from <bad-people> pass in quick on $external inet proto tcp from any to any port ssh flags S/SA keep state ( max-src-conn-rate 4/60 ,overload flush global) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ZFS root and linproc 7.2-RC1 | wnsi | FreeBSD Installation and Upgrading | 0 | 20th April 2009 06:54 PM |
NTOP as root | sniper007 | FreeBSD Security | 0 | 27th January 2009 07:42 PM |
Wheel Can't su root | MetalHead | OpenBSD General | 2 | 22nd November 2008 12:44 AM |
Run daemon as other user than root | phreud | FreeBSD General | 8 | 11th November 2008 04:11 AM |
root mail | sheriff26 | FreeBSD General | 5 | 2nd July 2008 04:56 PM |