Brute Force Login Attempts are as common as ever. Even if you have a strong root password, it is a matter of time for it to be cracked using a dictionary attack. Hence the need to prevent direct ssh logins for common accounts like root or admin.

Generally, it’s safe to use a hidden “su” user first, then login to root or other accounts once connected. Disable any well known accounts (root, admin, etc) that don’t need direct access by editing the /etc/ssh/sshd_config and removing or commenting  out the section with the code.

#AllowUsers root

Always test changes before logging out else you may lock yourself out from the box.

Here how you can do it on a generic Linux system is three simple steps:

  1. Add the user. I’ve chosen the user editor. You can pick some other name.
    [root@mycomputer ~]# adduser editor
    [root@mycomputer ~]# id editor
    [root@mycomputer ~]# uid=1007(editor) gid=1008(editor) groups=1008(editor)
    [root@mycomputer ~]# whoami
    [root@mycomputer ~]# editor
  2. Set the password for the new user. Enter and confirm the new password at the command prompt.[root@mycomputer ~]# passwd editor
    Changing password for user editor.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
    [root@mycomputer ~]#
  3. In order to give sudo permissions of the new user editor you have to edit the file /etc/sudoers, remove the comment # in front of the statement
    %wheel ALL=(ALL) ALL
    where you will give su permissions to the group wheel. Add the user to the wheel group.
    usermod -aG wheel editor.
    At least this is the approach recommended from by RedHat
    Another way of doing this is by giving su permissions to the user editor. Once again this is done by adding a line in /etc/sudoers
    editor ALL=(ALL) ALL
  4. Now ssh to the server with the new user. Make sure everything is okay and the user has all the rights you need.
    [root@mycomputer ~]# ssh editor@myserver
    editor@myderver's password:
    [editor@editor ~]$
  5. Check if you can su (switch user) to root from the user admin
    [admin@admin ~]$ sudo su
    Password:
    [root@editor ~]# whoami
    [root@editor ~]# root
  6. After you are completely sure the new user editor works as expected, you can disable root access via ssh. Edit the file
    [root@editor ~]$ nano /etc/ssh/sshd_config
    and either set
    PermitRootLogin no
    or remove/ comment out the line
    AllowUsers root
  7. The last step is to restart the sshd service.
    for RedHat Centos Fedora
    [root@editor ~]# service sshd restart
    for Ubuntu Debian
    [root@editor ~]# service ssh restart

Leave a Reply

Your email address will not be published.

Related Posts

Linux System Administration

How to change ssh port

Advantages of Changing SSH Port First, I want to explain the reasons behind changing the ssh port of a server. Why changing ssh port when you have a strong password and/or a certificate? Additionally, it Read more…

Linux System Administration

SSH Hardening Techniques

SSH Hardening Techniques These are the top practices to harden ssh. In this article I am going to list the best and most important open ssh server security practices. SSH protocol is the best option Read more…

Linux System Administration

How To Use Public Key Authentication Instead Of Password

Password Login Belongs To The Past Public key authentication is an easier and more reliable compared to the old- fashioned password-based login. Keys are basically less prone to brute-force attacks. If you want to force Read more…