Restrictionam acces root direct.

Leave a reply

Minime masuri de securitate pentru access prin ssh la server.

Pentru a evita situatiilor neplacute in care mucosii frustrati cauta sa fraudeze serverul cu ajutorul diferior programe ce  incearca o lista de parole de acces ssh, una din solutii este sa limitam accesul direct userul-ui root prin ssh.

Editam /etc/ssh/sshd_config

Decomentam daca e comentata linia:

Protocol 2

Modificam

PermitRootLogin yes pe PermitRootLogin no

Restartam /etc/rc.d/init.d/sshd restart

Inainte de asta nu uitam sa cream un user prin care sa ne logam:

useradd <username>
passwd <username>

optiunii pentru creare user:

-c '<comment>' <comment> can be replaced with any string. This option is generally used to specify the full name of a user.
-d<home-dir> Home directory to be used instead of default /home/<username>/
-e<date> Date for the account to be disabled in the format YYYY-MM-DD
-f<days> Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
-g<group-name> Group name or group number for the user's default group. The group must exist prior to being specified here.
-G<group-list> List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here.
-m Create the home directory if it does not exist.
-M Do not create the home directory.
-n Do not create a user private group for the user.
-r Create a system account with a UID less than 500 and without a home directory
-p<password> The password encrypted with crypt
-s User's login shell, which defaults to /bin/bash
-u<uid> User ID for the user, which must be unique and greater than 499

Cum ne logam sub root?

Simplu! Ne logam prin ssh utilizand userul creat si scrim comanda:

su

dupa care

Password:

Limitam numarul maxim de incercare a parolei prin ssh

Decomentam linia:

MaxAuthTries 3

Pentru a vedea datele ultimei logari decomentam linia

PrintLastLog yes

WinSCP + Sudo

Daca folosim clientul WinSCP pentru copiere/editarea fisierelor pe server, iar root este dezactivat, in SCP/Shell tab bagam comanda

sudo -s sau la mine a mersi si cu sudo su –

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *