ashsysad
asked on
Blocked direct root SSH access in Linux
Hello,
I have a requirement to block the direct root SSH access from all the hosts EXCEPT one server. Is it possible ? I know that we can block the direct root access by setting the directive "PermitRootLogin" to "no" in /etc/ssh/sshd_config. But how can i create exceptional in it. Please let me know.
Thanks !
I have a requirement to block the direct root SSH access from all the hosts EXCEPT one server. Is it possible ? I know that we can block the direct root access by setting the directive "PermitRootLogin" to "no" in /etc/ssh/sshd_config. But how can i create exceptional in it. Please let me know.
Thanks !
I don't know if there is a way for SSH with exception, But I can suggest you to configure ip tables and allow SSH traffic from particular IPs only.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Could you please give me the syntax for allowing SSH access only for a particular IP ? I'm wondering how can I run 2 seperate SSHD service on a single host. Let me give a search for it.
Why do you even need the exception? In normal circumstances that shouldn't be necessary or allowed. You can still use sudo or su from the logged on user to get root privileges.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I would suggest to configure what You want in sshd_config using the AllowUsers directive. With this directive you specify the final set of users that are allowed to connect to SSH, but You can also control access based on ip addresses and hostnames. For example:
AllowUsers root@10.2.21.141 pawwa
would mean that root can connect only from host 10.2.21.141 and pawwa could connect from anywhere. Other users could not connect to SSH in this example. Of course, You need to PermitRootLogin yes.
AllowUsers root@10.2.21.141 pawwa
would mean that root can connect only from host 10.2.21.141 and pawwa could connect from anywhere. Other users could not connect to SSH in this example. Of course, You need to PermitRootLogin yes.
But, yeah as rindi has pointed out, You should connect to SSH as regular user, and then use su or sudo to gain higher privileges.
ASKER
@rindi, I want to run certain scripts as root from a remote server. Per my company policy, the direct root access to all critical servers should be denied. Thats why i need an expection allowing just one server.
@Liddler, I will try your solution and update you.
@Liddler, I will try your solution and update you.
To run the certian scripts you can use SUDO access. It should work.
Or, BTW, You can use authorized_keys file in /root/.ssh/ directory and add a "from=host" in that file, for example:
from="192.168.10.16" ssh-dss AAAAB3NzaC1kc3MA... My OpenSSH key
if you are using PubKeyAuthentiication yes... But if it is scripts that You want to run, the most secure way will be by using sudo.
from="192.168.10.16" ssh-dss AAAAB3NzaC1kc3MA... My OpenSSH key
if you are using PubKeyAuthentiication yes... But if it is scripts that You want to run, the most secure way will be by using sudo.
In the SSHD configuration file (usually /etc/ssh/sshd_config):
Be sure to restart the SSH server after making the change.
PermitRootLogin no
Be sure to restart the SSH server after making the change.
edit /etc/hosts.allow with the next code:
sshd: your_allowed_ip
and /etc/hosts.deny with:
sshd: all
that should work
sshd: your_allowed_ip
and /etc/hosts.deny with:
sshd: all
that should work
ASKER
Running an additional SSH service with different port seems to be the most appropriate solution and it worked for me. Thanks !