Advertisement
hjysy

Disable Root & Add New User

Sep 22nd, 2019
248
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.66 KB | None | 0 0
  1. Disable Root & Add New User
  2. I've recently moved to a VPS from shared hosting, have experience with VPS but never been so indulged for security stuff.
  3. Each hour i'm receiving like 1000's of failed SSH login attempts.
  4.  
  5. ++++++++++++++
  6. If You want to buy cheap web hosting then visit http://Listfreetop.pw and select the cheapest hosting. it can be suitable for all your needs.
  7.  
  8. Top 200 best traffic exchange sites http://Listfreetop.pw/surf
  9.  
  10. list of top gpt sites
  11. list of top ptc sites
  12. list of top ptp sites
  13. list of top crypto currency Wallets sites
  14. Listfreetop.pw
  15. Listfreetop.pw
  16. Listfreetop.pw
  17. +++++++++++++++
  18.  
  19. I've read few article regarding ssh security, created a new user with SUDO permission but i'm unable to edit files via SFTP access using that user.
  20.  
  21. can you please guide to create a user just like a root and completely disable root user or any other good practice ?
  22.  
  23. Update :- Forgot to mention, issue is related with Files owned by root user and root group, New user cant edit root files via sftp, Centos 7.
  24.  
  25. Can you mention the steps you took to add the new 'root' user?
  26.  
  27. That is easy. In RHEL/CentOS 7, add the new user to the wheel group and you are done.
  28.  
  29. For CentOS 6, you can add the user/group to the /etc/sudoers file. Honestly, it is not required though.
  30.  
  31.  
  32. 1. Change the default SSH port.
  33. 2. Enable key-based authentication and disable password authentication.
  34.  
  35. If you do the above two steps, you should not receive any more "failed login" notifications.
  36.  
  37. Also, if you have a static IP, then you can disable SSH connections from other IP addresses.
  38.  
  39. Can you mention the steps you took to add the new 'root' user?
  40.  
  41. Yes, sir. I followed a digital ocean article to add sudo user.
  42.  
  43. adduser root1 // create user
  44. passwd roo1 // set password for new user
  45. usermod -aG wheel root1
  46.  
  47.  
  48. all my webfiles are owned by apache user, to allow php access to them.
  49.  
  50. Update :- Forgot to mention, issue is related with Files owned by root user and root group, New user cant edit root files via sftp, Centos 7.
  51. You can not use an FTP client to edit those files unless there are ACLs set.
  52.  
  53. To edit those files with the sudo user, you have to use the terminal and start each command with "sudo".
  54.  
  55. You can not use an FTP client to edit those files unless there are ACLs set.
  56.  
  57. To edit those files with the sudo user, you have to use the terminal and start each command with "sudo".
  58. Oh Okay, i'm not very much used to of command line to perform task would prefer sticking with root then .
  59.  
  60. One question i have regarding 'Disabling the password and Logging in via key based authentication'.
  61. In case i lose the key, it wouldn't be possible to log in to the server ? & can the key be backed up at some cloud place or mail ?
  62.  
  63. Is it an OpenVZ VPS or a KVM VPS?
  64.  
  65. You can still log in through the console using the root password.
  66.  
  67. Even if you forget the password, it can be reset through rescue mode.
  68.  
  69. I would firewall off port 22 (ssh) or whatever port you move ssh to just as another layer of security. Just limit to your ISP's IP or their range if it moves a lot or use a VPN with a static IP.
  70. -Steven | u2-web@Cooini, LLC - Business Shared Hosting | Isolate sites with Webspaces | Site Builder | PHP-FPM | MariaDB
  71. WHMCS Modules: Staff Knowledgebase | Custom Modules and Hooks
  72. "It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle
  73.  
  74. Please do following steps
  75.  
  76. 1. Set Permit root login to NO in the SSH config file and add sudo user and then switch to root user after login as sudo user.
  77.  
  78. 2. Change the SSH port to any other port other than 22 and also enable that port in firewall.
  79.  
  80. 3.Always use static ISP IP and only whitelist that IP in firewall for SSH access.
  81.  
  82. 4.Also you may use key based authentication.
  83. BunnyTech
  84. Senior Server Administrator
  85. Contact bunnytechblogger@gmail.com
  86. Blog https://bunny.tech.blog
  87.  
  88. Hey, Thanks everyone .
  89. I've just disabled the password based login, using keys to log in.
  90.  
  91. Will now proceed to change the port, is there any suggestion (or a range that won't conflict with other service) ?
  92.  
  93. Hey, Thanks everyone .
  94. I've just disabled the password based login, using keys to log in.
  95.  
  96. Will now proceed to change the port, is there any suggestion (or a range that won't conflict with other service) ?
  97. Port range from 1 to 65535, you can use any port you like as long as it is not being used by the system. We have faced the same kind of problem, after changing SSH Port from the default 22 to something more secure issue got resolved.
  98.  
  99. Port range from 1 to 65535, you can use any port you like as long as it is not being used by the system. We have faced the same kind of problem, after changing SSH Port from the default 22 to something more secure issue got resolved.
  100. The port numbers below 1024 are privileged ports. It is your choice if you want to use a port number less than 1024 or more than it.
  101.  
  102. Hello Everyone,
  103. I've recently moved to a VPS from shared hosting, have experience with VPS but never been so indulged for security stuff.
  104. Each hour i'm receiving like 1000's of failed SSH login attempts.
  105.  
  106. I've read few article regarding ssh security, created a new user with SUDO permission but i'm unable to edit files via SFTP access using that user.
  107.  
  108. can you please guide to create a user just like a root and completely disable root user or any other good practice ?
  109.  
  110. Update :- Forgot to mention, issue is related with Files owned by root user and root group, New user cant edit root files via sftp, Centos 7.
  111. - disable root login
  112. - disable password authentication
  113. - enable pubkey authentication
  114. - specify allowed users in the ssh config
  115. - install fail2ban to automatically ban any bruteforce attempts
  116.  
  117. optionally change the ssh port to some other privileged port (< 1024). This won't prevent attacks if they really target you and scan you etc, but it will help stop scripted attacks which expect ssh to run on port 22.
  118.  
  119. Quote Originally Posted by darksecu View Post
  120. One question i have regarding 'Disabling the password and Logging in via key based authentication'.
  121. In case i lose the key, it wouldn't be possible to log in to the server ? & can the key be backed up at some cloud place or mail ?
  122. Of course you should key some copies of the key somewhere safe. If you lose the key, most VPS providers have a web console in their control panel that lets you log in with username and password, bypassing ssh. Do you have such console in your control panel?
  123.  
  124. Quote Originally Posted by darksecu View Post
  125. Hey, Thanks everyone .
  126. I've just disabled the password based login, using keys to log in.
  127.  
  128. Will now proceed to change the port, is there any suggestion (or a range that won't conflict with other service) ?
  129. If you choose to change the port, it is good practice to still use a privileged port, because otherwise some user may be able to run some dodgy server on that port if for some reason the actual ssh stops working. This may not matter if you are going to be the only user on the system or if you trust the other users.
  130.  
  131. - disable root login
  132. - disable password authentication
  133. - enable pubkey authentication
  134. - specify allowed users in the ssh config
  135. - install fail2ban to automatically ban any bruteforce attempts
  136.  
  137. optionally change the ssh port to some other privileged port (< 1024). This won't prevent attacks if they really target you and scan you etc, but it will help stop scripted attacks which expect ssh to run on port 22.
  138.  
  139. Of course you should key some copies of the key somewhere safe. If you lose the key, most VPS providers have a web console in their control panel that lets you log in with username and password, bypassing ssh. Do you have such console in your control panel?
  140.  
  141. If you choose to change the port, it is good practice to still use a privileged port, because otherwise some user may be able to run some dodgy server on that port if for some reason the actual ssh stops working. This may not matter if you are going to be the only user on the system or if you trust the other users.
  142. Thanks a lot for the info , i'm learning learning and learning .
  143. I'm the only user on the VPS, Complete personal use.
  144.  
  145. since i disabled the password based login, would it be just fine not to change the ssh port ?
  146.  
  147. since i disabled the password based login, would it be just fine not to change the ssh port ?
  148. Changing SSH port won't prevent real attacks but like I said it can at least stop those scripted attacks, so it's less noise in your logs etc But like I said it's optional. It's not really required.
  149.  
  150. 802.1x host mode
  151. domain 1 artifacts
  152. livelinkcafe.com
  153. planet-traffic.com
  154. domain error
  155. redsurf.ru
  156. domain model
  157. make money kcd
  158. make money using your car
  159. e host red carpet
  160. discover.tokenbooster.io
  161. ghost pepper
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement