Comments on: Security Tip: Disable Root SSH Login on Linux http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/ Computer Help from your Friendly How-To Geek Sun, 08 Nov 2009 07:56:33 -0600 http://wordpress.org/?v=2.8.5 hourly 1 By: abhi http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-76756 abhi Thu, 17 Sep 2009 09:40:46 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-76756 Ofcourse even better is to completely disable password authentication and move over to a public key way of authentication. Ofcourse even better is to completely disable password authentication and move over to a public key way of authentication.

]]> By: abhi http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-76755 abhi Thu, 17 Sep 2009 09:40:02 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-76755 Can we not restrict based on mac addresses for those on the road? or with dynamic IPs? Can we not restrict based on mac addresses for those on the road? or with dynamic IPs?

]]> By: yendee http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-74152 yendee Thu, 09 Jul 2009 09:25:06 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-74152 #vi /etc/ssh/sshd_config .... PermitRootLogin no .... DenyUsers oracle ----------- and restart service for solaris10 #svcadm restart ssh or solaris9 #/etc/init.d/sshd restart http://it-howtodo.blogspot.com/2009/06/how-to-disable-users-for-ssh.html #vi /etc/ssh/sshd_config
….
PermitRootLogin no
….
DenyUsers oracle

———–
and restart service
for solaris10
#svcadm restart ssh

or solaris9
#/etc/init.d/sshd restart

http://it-howtodo.blogspot.com.....r-ssh.html

]]> By: Matt Warnock http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-69136 Matt Warnock Tue, 24 Mar 2009 00:41:07 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-69136 Great comments. I can't really use the IP restrictions myself, as I am often on the road, and need access from a hotel, internet cafe, or other unpredictable access point. My best friend is the "denyhosts" package, which allows 3 attempts (configurable) at a password, then shuts down the offending source IP for some period like a week. That shuts down brute force attacks pretty fast. Great comments. I can’t really use the IP restrictions myself, as I am often on the road, and need access from a hotel, internet cafe, or other unpredictable access point. My best friend is the “denyhosts” package, which allows 3 attempts (configurable) at a password, then shuts down the offending source IP for some period like a week. That shuts down brute force attacks pretty fast.

]]> By: Dave Casserly http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-67253 Dave Casserly Thu, 19 Feb 2009 23:41:43 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-67253 You could add the line sshd: ALL to /etc/hosts.deny file and then explicity add the ips i want to allow to /etc/hosts.allow Although this is only useful for those who have static ip and maybe not recommended if you only have 1 ip you can connect from that is provided to you by your isp for example. You could add the line

sshd: ALL

to /etc/hosts.deny file and then explicity add the ips i want to allow to /etc/hosts.allow

Although this is only useful for those who have static ip and maybe not recommended if you only have 1 ip you can connect from that is provided to you by your isp for example.

]]> By: TDI http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-62383 TDI Wed, 03 Dec 2008 10:51:36 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-62383 Damn skippy! I love this trick. Although, I like to pretend I'm really paranoid and also do the following: Assign a dedicated IP to SSH via /etc/ssh/sshd_config -this IP is to be used ONLY by SSH Assign a dedicated PORT to SSH via /etc/ssh/sshd_config -this PORT should only be used by SSH And of course, set up a firewall to block IPs that conduct port scans. Now a hacker must.... 1) know the IP 2) know the PORT 3) know the login 4) brute force the login pass 5) brute force the root pass I'd imagine (correct me if I'm wrong) that a hacker will give up before even getting to the login prompt... (or be blocked well before then) Damn skippy! I love this trick. Although, I like to pretend I’m really paranoid and also do the following:

Assign a dedicated IP to SSH via /etc/ssh/sshd_config
-this IP is to be used ONLY by SSH

Assign a dedicated PORT to SSH via /etc/ssh/sshd_config
-this PORT should only be used by SSH

And of course, set up a firewall to block IPs that conduct port scans.

Now a hacker must….
1) know the IP
2) know the PORT
3) know the login
4) brute force the login pass
5) brute force the root pass

I’d imagine (correct me if I’m wrong) that a hacker will give up before even getting to the login prompt… (or be blocked well before then)

]]> By: xaethos http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-57767 xaethos Tue, 16 Sep 2008 10:42:10 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-57767 Also, sudo can be easily set to a different password, or to tighter restrictions than full root. Then the attacker would have to brute-force two different passwords. Also, sudo can be easily set to a different password, or to tighter restrictions than full root. Then the attacker would have to brute-force two different passwords.

]]> By: Dean http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-57039 Dean Wed, 03 Sep 2008 07:35:33 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-57039 trashman, it is more secure to use a different login name over SSH because the hacker has to first guess the login name AND then the password of that login. Whereas, if root is enabled over SSH, the hacker knows the login and only needs to guess the password. trashman, it is more secure to use a different login name over SSH because the hacker has to first guess the login name AND then the password of that login.

Whereas, if root is enabled over SSH, the hacker knows the login and only needs to guess the password.

]]> By: Trashman http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-54906 Trashman Sat, 02 Aug 2008 01:30:14 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-54906 Ok, help me out here. How is it "insecure" to allow root login over ssh, but "secure" to allow a user with 'su' or 'sudo' access login over ssh. If a "hacker" discovers (by brute force, phishing, or whatever) the user's password with su, or sudo she can do just as much damage as if she found the root password by the same means and logged directly in. Ok, help me out here. How is it “insecure” to allow root login over ssh, but “secure” to allow a user with ’su’ or ’sudo’ access login over ssh. If a “hacker” discovers (by brute force, phishing, or whatever) the user’s password with su, or sudo she can do just as much damage as if she found the root password by the same means and logged directly in.

]]> By: The Geek http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/comment-page-1/#comment-24011 The Geek Fri, 05 Oct 2007 13:55:51 +0000 http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/#comment-24011 Great followup tip! Always love it when the readers add really useful information. Great followup tip!

Always love it when the readers add really useful information.

]]>