Link to home
Start Free TrialLog in
Avatar of SP_2018 .
SP_2018 .Flag for United States of America

asked on

SSH to servers

Hi,

I have a security related question on Linux Ubuntu.
Can we remove sudo access to root console for power users.
But still allow admin to ssh to the servers with root password.
As a security measure is it a good idea to disable root access to everyone if  connecting to servers remotely.

Thanks
Avatar of David Favor
David Favor
Flag of United States of America image

1) Can we remove sudo access to root console for power users.

This is easy, just remove users from the sudo config + they won't be able to run sudo commands anymore.

How exactly your sudo users config is laid out is Distro dependent.

2) But still allow admin to ssh to the servers with root password.

So long at the admin user logs in as root or has a sudo users entry allowing them to sudo, this will work.

3) As a security measure is it a good idea to disable root access to everyone if  connecting to servers remotely.

Some people say yes.

To me just use a strong, unique password + hacking into ssh is near impossible, so I prefer to just login to all my machines + LXD containers as root.

Caveat: If you're unused to running with root sessions, keep in mind... with many commands... there's no way to recover from inputing the wrong command at the wrong place... For example...

cd /
rm -rfv *

Open in new window


Will destroy your system + require a fresh install.

I've seen someone actually do this + it's a mess.
ASKER CERTIFIED SOLUTION
Avatar of serialband
serialband
Flag of Ukraine image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I like serialband's answer. While both answers above will do you you want, I agree that Ubuntu has a security model that you would be breaking if you went with David's method. But David's method will work too. My concern would be that if you do David's method, and later someone else has to manage that machine, they may not be aware of the change and wonder why things are not working correctly.

If it is your machine only, you can go either way, but you might want to make a note of the change so sometime later, you will know why Sudu stopped working.
Avatar of noci
noci

Normally you would not allow root access at all.
(the root user is anonymous....)  it would be better to use a "regular" account and only do privileged task using "sudo".
Ubuntu is dereived from Debian, which always has had this model.
IMO, follow serialbands recommendations on this.