Link to home
Create AccountLog in
Avatar of ashsysad
ashsysadFlag for United States of America

asked on

Blocked direct root SSH access in Linux

Hello,

I have a requirement to block the direct root SSH access from all the hosts EXCEPT one server. Is it possible ?  I know that we can block the direct root access by setting the directive "PermitRootLogin" to "no" in /etc/ssh/sshd_config. But how can i create exceptional in it. Please let me know.

Thanks !
Avatar of upanwar
upanwar
Flag of India image

I don't know if there is a way for SSH with exception, But I can suggest you to configure ip tables and allow SSH traffic from particular IPs only.
ASKER CERTIFIED SOLUTION
Avatar of liddler
liddler
Flag of Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of ashsysad

ASKER

Could you please give me the syntax for allowing SSH access only for a particular IP ?  I'm wondering how can I run 2 seperate SSHD service on a single host. Let me give a search for it.
Avatar of rindi
Why do you even need the exception? In normal circumstances that shouldn't be necessary or allowed. You can still use sudo or su from the logged on user to get root privileges.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I would suggest to configure what You want in sshd_config using the AllowUsers directive. With this directive you specify the final set of users that are allowed to connect to SSH, but You can also control access based on ip addresses and hostnames. For example:

AllowUsers root@10.2.21.141 pawwa

would mean that root can connect only from host 10.2.21.141 and pawwa could connect from anywhere. Other users could not connect to SSH in this example. Of course, You need to PermitRootLogin yes.
But, yeah as rindi has pointed out, You should connect to SSH as regular user, and then use su or sudo to gain higher privileges.
@rindi, I want to run certain scripts as root from a remote server. Per my company policy, the direct root access to all critical servers should be denied. Thats why i need an expection allowing just one server.

@Liddler, I will try your solution and update you.
To run the certian scripts you can use SUDO access. It should work.
Or, BTW, You can use authorized_keys file in /root/.ssh/ directory and add a "from=host" in that file, for example:

from="192.168.10.16" ssh-dss AAAAB3NzaC1kc3MA... My OpenSSH key

if you are using PubKeyAuthentiication yes... But if it is scripts that You want to run, the most secure way will be by using sudo.
In the SSHD configuration file (usually /etc/ssh/sshd_config):
PermitRootLogin no

Open in new window


Be sure to restart the SSH server after making the change.
Avatar of Elfer2481
Elfer2481

edit /etc/hosts.allow with the next code:

sshd: your_allowed_ip


and /etc/hosts.deny with:
sshd: all


that should work
Running an additional SSH service with different port seems to be the most appropriate solution and it worked for me. Thanks !