1) Create a new and unique root access user (because we are going to delete the user 'admin' since it is too generic and most people can guess, especially if they know where you get your server from.)
Login as root using a ssh connection such as Putty. Make sure you have the latest version of Putty that supports SSH2.
Add a user named 'dummy
# /usr/sbin/adduser dummy
Verify that you have added the user
# tail /etc/passwd
Setting password to the user 'dummy'
# passwd dummy
Add user to the wheel group
# /usr/sbin/usermod -G wheel dummy
Change user permissions:
# chmod 4750 /bin/su;chown root:wheel /bin/su
Check su command permissions
# ls -al /bin/su
The result should be: -rwsr-x--- 1 root wheel 34567 Mar 20 2005 /bin/su
Note: the file size and date may be different from the example.
Exit and relogin with the new user name dummy and test out su command.
2) Bind sshd to a separate ip (warning do NOT disable the Telnet access yet until this part is working, lest you might have to use it if something goes wrong. You may lock yourself out if you make mistakes in this procedure. You have been warned!)
Request an ip from the datacenter, and register a nameserver with it using a name such as "ssh.mydomain.net" at your domain registrar. Waith until it resolves. In the mean time:
- Bind the IP to your server using the IP alias setting from your control panel.
- Add an A record for this name server in the related DNS zone:
ssh.mydomain.net (A) 123.123.123.123
(assuming 123.123.123.123 is the ip.)
When the name server resolves, ssh into your box using the user name created above. Switch to su - and type:
# nano -w /etc/ssh/sshd_config
Find the line "#ListenAddress 0.0.0.0". Delete the # and change it to "ListenAddress (the IP for the ssh name server)", so it looks like:
ListenAddress 123.123.123.123
Next we will force the use of SSH2 by changing the line "#Protocol 2, 1" to:
Protocol 2
Next, we will disable direct root login access by changing the line "#PermitRootLogin yes" to:
PermitRootLogin no
Next, we will change the ssh port to a high level port instead of '22' by changing the line "'#Port 22" to:
Port 7777
(7777 can be any other high number you desire and also available. ***Make sure this port is open if you already have a firewall installed, or you will be locked out)
Exit and save.
Restart SSH using the following command:
/etc/rc.d/init.d/sshd restart
Now exit out and restart your SSH terminal using the 'ssh.mydomain.net' as the host name and 7777 (or the number you entered above) as the port. Start the ternimal and login with the username created above.
If you made any mistakes and you are locked out, then you have to connect using telnet and correct the problem. After the problem is corrected, you must change your password, because Telnet may have exposed your password since it transmits log in data using plain text.
Once this is successfully set up, you should delete the generic username 'admin' by:
# /usr/sbin/userdel admin
3) Have the server e-mail you everytime someone logs in as root:
# cd
# nano .bash_profile
And put this text at the very end:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" dummy@mydomain.com dummy2@mydomain.com
(You can add several addresses by having a space in between. Make sure you also use an off-server email address, otherwise if the server is hacked, you won't receive any email alart.)
4) Now since everything is working well through SSH, you can disable Telnet:
# nano -w /etc/xinetd.d/telnet
Change disable = no to yes
Save and Exit
/etc/init.d/xinetd restart
Thank you Rocky. This was very informative and helpful.
I have one question:
I tried the "Send Email Upon Root Login" as you explained; however, I encountered the following:
When I use the su - command I receive the emaill.
But, when I use the su command without the - part, I do not receive the email.
I have one question:
I tried the "Send Email Upon Root Login" as you explained; however, I encountered the following:
When I use the su - command I receive the emaill.
But, when I use the su command without the - part, I do not receive the email.
This guide will work for all versions of ssh, they are all the same 
As far as the su/su - thing it is because of what the command does. Su gains root but does not run the .bash_profile and does not setup and of the root paths. On the other hand when you add the - it does. Basically there is nothing you can do about it other then setting it to email when the shell users login...or maybe some some sort of a script built into su but now we are getting way too complex.
As far as the su/su - thing it is because of what the command does. Su gains root but does not run the .bash_profile and does not setup and of the root paths. On the other hand when you add the - it does. Basically there is nothing you can do about it other then setting it to email when the shell users login...or maybe some some sort of a script built into su but now we are getting way too complex.
QUOTE (eth00)
This guide will work for all versions of ssh, they are all the same .
.Do you mean SSH and SSH2 are the same?
I thought SSH2 is more secure, so forcing it to use SSH2 is a better choice. Am I wrong?
Sam
No ssh2 and 1 are different, ssh2 is preffered. I am saying you posted this in the plesk forum but it will work for any control panel.
Rocky,
Why you suggest to change the SSH port to higer range, I think the default one is standard.
Is there any speail security reason to hide standard port of SSH?
Thanks,
Why you suggest to change the SSH port to higer range, I think the default one is standard.
Is there any speail security reason to hide standard port of SSH?
Thanks,
QUOTE (Manuel)
Rocky,
Why you suggest to change the SSH port to higer range, I think the default one is standard.
Is there any speail security reason to hide standard port of SSH?
Thanks,
Why you suggest to change the SSH port to higer range, I think the default one is standard.
Is there any speail security reason to hide standard port of SSH?
Thanks,
Yes and no. Any real cracker wanting in to your system can still exploit ssh if you are vulnerable. However, this will stop the script kiddies from automatically scanning your machine.
QUOTE
Find the line "#ListenAddress 0.0.0.0". Delete the # and change it to "ListenAddress (the IP for the ssh name server)", so it looks like:
If I want to allow more than one ip, shall I use (,) in between the IP list?
i think you just add multiple lines like
ListenAddress 1.1.1.1
ListenAddress 2.2.2.2
ListenAddress 3.3.3.3
try it and let me know
ListenAddress 1.1.1.1
ListenAddress 2.2.2.2
ListenAddress 3.3.3.3
try it and let me know
Hello,
Before some days, I have found below mentioned sshd log for my server, I found it intrusion.
I am using default SSH configuration, can anyone light on this log?
Jan 14 03:10:29 cpanel sshd(pam_unix)[1354]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:29 cpanel sshd(pam_unix)[1353]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:29 cpanel sshd(pam_unix)[1358]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:33 cpanel sshd(pam_unix)[1418]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:33 cpanel sshd(pam_unix)[1416]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:33 cpanel sshd(pam_unix)[1417]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:36 cpanel sshd(pam_unix)[1483]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Thanks,
Before some days, I have found below mentioned sshd log for my server, I found it intrusion.
I am using default SSH configuration, can anyone light on this log?
Jan 14 03:10:29 cpanel sshd(pam_unix)[1354]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:29 cpanel sshd(pam_unix)[1353]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:29 cpanel sshd(pam_unix)[1358]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:33 cpanel sshd(pam_unix)[1418]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:33 cpanel sshd(pam_unix)[1416]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:33 cpanel sshd(pam_unix)[1417]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Jan 14 03:10:36 cpanel sshd(pam_unix)[1483]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ev1s-XX-XX-XX-XX.ev1servers.net
Thanks,
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.