Disable direct root login
 

IMPORTANT NOTE:  This document is based on FreeBSD.  The concepts should be similar across operating systems, but the commands will very likely be different.  Also, never assume the directory structures exist in your system as written in the document.  Never blindly follow security instructions -- read, review, compare, apply as it fits your system.

Thanks goes to Martin (Marner in the Parallels H-Sphere forums)

Log into each server as root.

First add "cpanel and admin" to the wheel group (admin should be your normal user without root permissions that you first log into the server with, then su to root; admin should have a completely separate password from root).

  1. Edit /etc/group
  2. Locate wheel
  3. Add the following after root:

,cpanel,admin

  1. Save the file

Change the group access to su so that is belongs to the group wheel

chgrp wheel /usr/bin/su

Change the mode of the file so that root has read, write and execute, the group wheel has read and execute and everyone else has now rights

chmod 4750 /usr/bin/su

Limiting network access to root

This allows root to log on only at the server console

Edit /etc/securetty

comment out everything except for the lines

  • console
  • tty1
  • v/tty1

Now, edit your SSH configuration file as follows:

  1. Edit /etc/ssh/sshd_config
  2. Locate #Protocol 2, 1
  3. Uncomment it and change it to look like

    Protocol 2
     
  4. Add the following line:

AllowGroups wheel

  1. Next, locate #PermitRootLogin yes (it may already be uncommented)
  2. Uncomment it and make it look like

PermitRootLogin without-password

  1. Locate #IgnoreRhosts yes (it may already be uncommented)
  2. Uncomment it (remove the #)
  3. Locate X11Forwarding no
  4. Uncomment it.
  5. Locate PermitEmptyPasswords No
  6. Uncomment it.
  7. Save the file

Now restart sshd by doing

kill -HUP `cat /var/run/sshd.pid`


After you test the process, you may need to update "ChallengeResponseAuthentication" from yes to no (or otherwise uncomment and ensure it is set to no), and restart ssh -- Thanks to bruno.carlos@flesk.com

IMPORTANT NOTE:  This document and all linked document is being provided as a good will gesture to the Parallels H-Sphere community and to others who may benefit from its use.  Dynamic Net, Inc. makes no representations implied or explicit as to their value or warranty. Dynamic Net, Inc. will not be held liable for any damage resulting in the application of the steps and procedures noted.  If you feel uncomfortable at all about doing any of the steps, make a complete system backup and hire a third party like We Manage Servers to do the work for you.

  

 
 

Home ::  About :: Testimonials  ::  Articles ::  Employment ::  Contact
 Services ::  Web Hosting ::  Managed Services :: Parallels H-Sphere  :: Monitoring :: ShopSite 
 Resellers ::   Program ::  Compare Plans ::  Private Label		    
  :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
  Legal Notices - Acceptable Use Policy, Contract, Copyright, Terms of Service

See our privacy statement for questions on how we use information gained by our site.

 Managed Services provided by We Manage Servers