Why would you want to disable root login?
Well.. you're not.. You are disabling "direct" root login.

This will force a hacker to have to guess 2 seperate passwords to gain root access.. (you do have 2 seperate passwords for admin and root right?)

After you do this, you will have to login as 'admin' then you will 'su -' to get to root.. We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol

Just a couple more ways to help your server stay safe from the bad guys.

If you're using cPanel make sure you add your admin user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root

1) SSH into your server as 'admin' and gain root access by

su -

2) Copy and paste this line to edit the file

pico -w /etc/ssh/sshd_config

3) Find the line

#Protocol 2, 1

4) Uncomment it and change it to look like

Protocol 2

5) Next, find the line

#PermitRootLogin yes

6)Uncomment it and make it look like

PermitRootLogin no

7) Save the file

ctrl 'x' then 'y' then enter

Restart SSH

/etc/rc.d/init.d/sshd restart

Now, no one will be able to login to root with out first loggin in as admin and 'su -' to root, and you will be forcing the use of a more secure protocol

Good job Foggy!

I would add that users should also disable Protocol 1 logins as it is very insecure.

Change:

#Protocol 2, 1

to

Protocol 2

Just uncomment the line and remove the 1.

Thanks!

I'm kind of embarrassed to admit this, but I never did this on my server and it's about damn time I did!

All done and no problems, common sense howto really but it reminded me that I needed to do it and was a nice guide.

updated to include protocol 2 only

You might also want to post the ProFTPD one too, I don't know where it is, just search my name, it shouldn't be too hard to find..

Cuz if you don't disable ProFTPD, it is kind of pointless to disable SSH...

With an SSH client, one I can logon as admin and then change to su - and be root.

Can I do the same thing using a secure ftp client such as winSCP2.
Because this the above setup, I'm unable to upload or delete files that require root priv.

Thank you.

What is the sshd-rb_config file used for. I have noticed that it puts sshd on a very high port. Is this ok to disable or is it there for a reason ??
If it has to stay should we do the above fix to it aswell ??

http://forum.rackshack.net/showthread.php?...&highlight=root

That thread is somewhat more informative. But offhand no, juse edit the sshd_config file.

I log on as one of my site admins.

Type in su - and no matter which password I use:
ensim control panel, root, admin, etc all come back "su: incorrect password" I even logged into root and /usr/bin/passwd to change it. Nothing.... This is too weird

you might have pam wheel protection on root, try adding admin to group wheel in /etc/group
wheel:x:10:root,admin

You can't su - from a virtual site user. So if you are logged in as a site admin on a virtual, su - is not allowed.

I got it. Sheesh. Wish I was blonde so I could blame that.

Log on as "admin"

Then su -

Not site admin......



Thanks webcite...

Ok, I just modified the two files and when I went to restart ssh i got an error and got booted off. In Ensim it says that ssh is down. Is there a way to fix this in Ensim?

can u sign back on using ssh?

can you start it through ensim..

what was the error you got?

Error message when trying to start ssh in Ensim:

Status: Failed! Result: start for service ssh failed.

I cannot sign back in using ssh.


I'm stumped.

Hmm,

As much as i hate this word..

Is telnet still on? you could sign in that way.. fix the boo boo and restart ssh..

If telnet is off.. then... hmm not sure what to say.. maybe RS can get in there through a console and fix it (if you ask nice)

I don't know why I didn't think of that. It wasn't on But I am able to start the service in Ensim. Now to see if I can find the error.


Thank you.

**EDIT**

I was able to telnet in. I feel silly. The problem was i'm not used to using pico, i normally use VI. Well, I used pico like you said and when I tried to save it i added a bunch of nonsense to the bottom of the file causing it to throw up an error. I used VI and fixed it.

Thanks again for the help.

Ummmm seem to have a problem with this one on a new Ensim Pro box.

After doing the HOW TO I restarted.

Now I get Login As:
Password:

and not a single configuration works. root/password, admin/password nothing!

I went into Ensim and turned on Telnet and add it but once again:
invalid login.

I've restarted restarted and restarted.

Helppppppp

Try resetting the password for the admin in ensim. Sometimes Ensim 3.1x dropped the password to "" (blank). Sometimes the pass is here and not there. Resetting the password in Ensim has always fixed this for the older ensim I've been running.

I have followed your howto and everything went fine except after I have logged in as admin I type su - and get the following error.

bash: /bin/su: Permission Denied

I am seriously concerned that I will not be able to log in as root again.

Hopefull it's just something obvious missed.

I am also having the same problems after disabling direct root access. I am sure that is something simple to correct.

chmod 4755 /bin/su

I tried that and received the following message:

admin@plain [~]# chmod 4755 /bin/su
chmod: changing permissions of `/bin/su': Operation not permitted

Yes, I get the same error.

You can probably only use this command logged in as root LOL

Hopefully something else though:)

submit a ticket to RS and ask them if they could login as root from console and run the command:
chmod 4755 /bin/su

And optionaly add the user admin to group wheel
file /etc/group
add user admin to wheel line
wheel:x:10:root,admin

Good advice - a trouble ticket has been opened.

i know its been said already but make sure your logged in as the server admin and not a site admin.

Also try the following and paste your output:
# ls -al /bin/su
and
# id

admin@plain [~]# id
uid=500(admin) gid=500(admin) groups=500(admin)
admin@plain [~]# ls -al /bin/su
-rwsr-x--- 1 root wheel 19116 Apr 8 2002 /bin/su*
admin@plain [~]#

yup thats the problem. You are not group wheel but you have the su binary set to permissions root:wheel/4750 , thus making it so only users in group wheel can execute the binary.

If you will; also run the command
# uname -a

Linux plain.rackshack.net 2.4.18-27.7.x #1 Fri Mar 14 06:44:53 EST 2003 i686 unknown

Thanks to the folks at RS the problem has been solved.

rfxn - Thanks for your assistance as well.

I havent had a chance to put in a ticket yet, do you know what they did to fix it?

would this allow you to ftp in as admin and still be able to upload/download files in system root?

--Tone

Gee what a pain that was.

Make sure you have a ADMIN user for SSH lgin before doing that. Geee

The Ensim Applinace manager is not the same as ADMIN for SSH logins.

Now that that's sorted I can go to sleep :-)

I am trying to do the above - not sure what that actually means...

should I pico /etc/group and add the line 'wheel:x:10:root,admin '?

and that will allow me to still ftp in as root or as admin to the root directory for system uploads/downloads?

--Tone

hmm... I can not login via ftp as root anymore, and admin does not have access to the root directories (insufficient access)

--Tone

You shouldn't have root access via FTP anyway, if you did you've got some serious security loop holes on your server.

Root should only be able to gain access via SSH (or Telnet, but that should be disabled as well due to security reasons).

so if I need to upload something to the server root - I need to upload it to admin and then mv and chown it manually?

--Tone

That is one way of doing it, or run a web server at your home/office and then use the wget command to get it from there.

oh I like that idea. never occured to me. hmm... thanks!

--Tone

Guys
I think I wrecked my ssh config file LOL
When I restarted it I get [FAILED] to start
Now I'm scared to close SSH until I can get this sorted incase I can't login again ROFL just hope my ISP keeps up...
I checked the lines I edited and they look fine. Maybe I accidently deleted something else too? Can someone tell me what my SSH config file should look like? I'm on a cPanel box...

wow, i guess im too late for this parade, but those guys who got su permission denied error after they disabled direct root login and restarted ssh, you can still go login as root through WHM(if youre on CPANEL) and add your user to a wheel group. That will enable the su function.....

Wouldn't it be a good ida ot change your SSH port as well?

How do you change the password for the curent user?

Thanks

Have not found a need to change the port for SSH..

But for changing the password...

/usr/bin/passwd

Thanks!

I logged in as root through SSH and tried setting password for admin since I couldn't login earlier. It says that user admin doesn't exist. Which admin are you all talking about in here?

Thanks,
Predrag

worked great here, one thing I've noticed from this thread and all the people that hosed thier config file, why isn't anyone backing up the file before editing? I always do, I KNOW I can't type

3 quick questions:

1. Other than the double-login, what is supposed to be the purpose of the "admin" user?

2. Does Cpanel or RS Staff use the "admin" user in any way?

3. If direct root login is disabled, I guess we'll have to include both the admin and root passwords in RS tickets, right?

Thanks in advance.

worked perfectly on ensim 3.1.11 (celeron 1.3ghz). i did use vi to edit the file though, instead of pico.

I actually remove admin from my wheel, so it's not even usable. I use another account to login, which I can then su- with.