{"id":165,"date":"2021-06-15T11:25:01","date_gmt":"2021-06-15T11:25:01","guid":{"rendered":"https:\/\/tiruppurwebhosting.com\/blog\/?p=165"},"modified":"2021-07-16T07:01:46","modified_gmt":"2021-07-16T07:01:46","slug":"permit-ssh-login-through-su","status":"publish","type":"post","link":"https:\/\/tiruppurwebhosting.com\/blog\/permit-ssh-login-through-su\/","title":{"rendered":"Permitting SSH login through su user in CentOs"},"content":{"rendered":"<div class=\"entry-content clearfix\">\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-167 size-full\" src=\"http:\/\/tiruppurwebhosting.com\/blog\/wp-content\/uploads\/2021\/06\/SSH.png\" alt=\"su\" width=\"726\" height=\"294\" srcset=\"https:\/\/tiruppurwebhosting.com\/blog\/wp-content\/uploads\/2021\/06\/SSH.png 726w, https:\/\/tiruppurwebhosting.com\/blog\/wp-content\/uploads\/2021\/06\/SSH-300x121.png 300w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\" \/><\/p>\n<p>Disabling direct root login and Permitting through \u201csu\u201d user in Linux<\/p>\n<p>Does everyone knows, nowadays we have facing number of Hacking attempts. Especially in linux servers,\u00a0 we need to enable\/disable some components to prevent those kind of hacking attempts. By default the root user is enabled in linux server and it is not recommended. For a security measure we have to disable the direct root access and permit via su user.<\/p>\n<p>From this post, we are going to see how to secure our server\u2019s SSH login with additional security.<\/p>\n<h4 id=\"prerequisites\" class=\"fittexted_for_content_h4\">1.Prerequisites<\/h4>\n<ul>\n<li>CentOS 7.3 (Operating system used here)<\/li>\n<li>root privileges.<\/li>\n<\/ul>\n<p>Let\u2019s continue with creating the user<\/p>\n<h4 class=\"fittexted_for_content_h4\">2.Creating new user<\/h4>\n<p>To create the su user and disable ssh root login from outside world, follow the below steps.<\/p>\n<pre>#adduser webhost<\/pre>\n<pre>[root@tiruppurwebhosting ~]# adduser webhost\r\n[root@tiruppurwebhosting ~]# passwd webhost\r\nChanging password for user webhost.\r\nNew password:\r\nRetype new password:\r\npasswd: all authentication tokens updated successfully.\r\n<\/pre>\n<p>If you want to give a super user access to existing user, just add the user to group file.<\/p>\n<h4 class=\"fittexted_for_content_h4\">3.Adding the user to wheel group<\/h4>\n<p>Now, we need to add the user to \u201cwheel\u201d group to make the user as a \u201csu\u201d user. edit\u00a0<code>\/etc\/group<\/code>\u00a0file to add it.<\/p>\n<pre># nano \/etc\/group<\/pre>\n<p>Normal, output of group file will be as follows<\/p>\n<pre>GNU nano 2.3.1 File: \/etc\/group\r\n\r\nroot:x:0:\r\nbin:x:1:\r\ndaemon:x:2:\r\nsys:x:3:\r\nadm:x:4:\r\ntty:x:5:\r\ndisk:x:6:\r\nlp:x:7:\r\nmem:x:8:\r\nkmem:x:9:\r\nwheel:x:10:\r\ncdrom:x:11:\r\nmail:x:12:postfix\r\nman:x:15:\r\ndialout:x:18:\r\nfloppy:x:19:\r\ngames:x:20:\r\ntape:x:30:\r\n. . . \r\n. . .\r\n<\/pre>\n<p>After adding the user to the \u201cwheel\u201d group, save the file and confirm that the user was added to \u201cwheel\u201d group using the following command.<\/p>\n<pre># cat \/etc\/group | grep wheel<\/pre>\n<p>You can confirm it by the following output<\/p>\n<pre>[root@tiruppurwebhosting ~]# cat \/etc\/group | grep wheel\r\nwheel:x:10:webhost\r\n[root@tiruppurwebhosting ~]#\r\n<\/pre>\n<h4 class=\"fittexted_for_content_h4\">4.Disabling direct Root access<\/h4>\n<p>By editing the\u00a0<code>\/etc\/ssh\/sshd_config<\/code>\u00a0file and uncomment the \u201c<em>PermitRootLogin<\/em>\u201d to \u201c<em>no<\/em>\u201d to disable the direct ssh root login.<\/p>\n<pre># nano \/etc\/ssh\/sshd_config<\/pre>\n<p>Output of sshd_config file be like:<\/p>\n<pre># $OpenBSD: sshd_config,v 1.100 2016\/08\/15 12:32:04 naddy Exp $\r\n\r\n# This is the sshd server system-wide configuration file. See\r\n# sshd_config(5) for more information.\r\n\r\n# This sshd was compiled with PATH=\/usr\/local\/bin:\/usr\/bin\r\n\r\n# The strategy used for options in the default sshd_config shipped with\r\n# OpenSSH is to specify options with their default value where\r\n# possible, but leave them commented. Uncommented options override the\r\n# default value.\r\n\r\n# If you want to change the port on a SELinux system, you have to tell\r\n# SELinux about this change.\r\n# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER\r\n#\r\n#Port 22\r\n#AddressFamily any\r\n#ListenAddress 0.0.0.0\r\n#ListenAddress ::\r\n\r\nHostKey \/etc\/ssh\/ssh_host_rsa_key\r\n#HostKey \/etc\/ssh\/ssh_host_dsa_key\r\nHostKey \/etc\/ssh\/ssh_host_ecdsa_key\r\nHostKey \/etc\/ssh\/ssh_host_ed25519_key\r\n\r\n# Ciphers and keying\r\n#RekeyLimit default none\r\n\r\n# Logging\r\n#SyslogFacility AUTH\r\nSyslogFacility AUTHPRIV\r\n#LogLevel INFO\r\n\r\n# Authentication:\r\n\r\n#LoginGraceTime 2m\r\nPermitRootLogin no\r\n#StrictModes yes\r\n#MaxAuthTries 6\r\n#MaxSessions 10\r\n\r\n#PubkeyAuthentication yes\r\n\r\n# The default is to check both .ssh\/authorized_keys and .ssh\/authorized_keys2\r\n# but this is overridden so installations will only check .ssh\/authorized_keys\r\nAuthorizedKeysFile .ssh\/authorized_keys\r\n\r\n#AuthorizedPrincipalsFile none\r\n\r\n#AuthorizedKeysCommand none\r\n#AuthorizedKeysCommandUser nobody\r\n\r\n. . .\r\n\r\n. . .\r\n<\/pre>\n<p>Once the modification was done as above,\u00a0 restart the ssh service using<\/p>\n<p>You can also modify the ssh port number for additional security,\u00a0<a href=\"https:\/\/tiruppurwebhosting.com\/blog\/2021\/06\/15\/steps-to-change-ssh-port\/\">click here<\/a><\/p>\n<pre># systemctl restart sshd.service<\/pre>\n<h4 class=\"fittexted_for_content_h4\"><strong>5.Login Directly via root user<\/strong><\/h4>\n<p>Now, let try to login the server via root user to check whether it\u2019s login directly root or not.<\/p>\n<pre>Using username \"root\".\r\nroot@103.12.211.150's password:\r\nAccess denied\r\nroot@103.12.211.150's password:\r\n<\/pre>\n<p>Yes, It is not allowing to login directly as root, so we are in right path.<\/p>\n<h4 class=\"fittexted_for_content_h4\">6.Login via \u201csu\u201d user<\/h4>\n<p>Now, try to login the server with su user and successfully login to <a href=\"https:\/\/www.squarebrothers.com\/dedicated-server-in-india\/\" target=\"_blank\" rel=\"noopener\">server<\/a>.<\/p>\n<pre>Using username \"webhost\".\r\nwebhost@103.12.211.150's password:\r\n[webhost@tiruppurwebhosting ~]$ su -\r\nPassword:\r\n\r\nLast login: Tue Dec 26 12:07:39 EET 2017 from 182.13.23.38\r\n[root@tiruppurwebhosting ~]#\r\n<\/pre>\n<p>Yes, now we can able to login to the server using su user.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Disabling direct root login and Permitting through \u201csu\u201d user in Linux Does everyone knows, nowadays we have facing number of Hacking attempts. Especially in linux servers,\u00a0 we need to enable\/disable some components to prevent those kind of hacking attempts. By default the root user is enabled in linux server and it is not recommended. For<\/p>\n","protected":false},"author":1,"featured_media":167,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,17,1,9,3],"tags":[83,81,82],"class_list":["post-165","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-basics","category-control-panel","category-home","category-linux","category-linux-tutorials","tag-direct-root","tag-root-user","tag-ssh"],"_links":{"self":[{"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/posts\/165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/comments?post=165"}],"version-history":[{"count":0,"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/posts\/165\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/media\/167"}],"wp:attachment":[{"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/media?parent=165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/categories?post=165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tiruppurwebhosting.com\/blog\/wp-json\/wp\/v2\/tags?post=165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}