Allow Or Deny SSH Access To A Particular User Or Group In Linux
openSSH default configuration file has two directives for both allowing
and denying SSH access to a particular user(s) or a group.
Allow SSH Access to a user or group
First, we will see how to allow SSH
access for a particular user, for example sk.
Please note that all commands should be run as root user.
Go to your remote server, and
edit sshd_config file:
$ sudo vi /etc/ssh/sshd_config
Add or edit the following line:
AllowUsers sk
Replace “sk” with your username. You can also specify more than one user
as shown below.
AllowUsers sk ostechnix
To allow an entire group, say for example root, add/edit the following
line:
AllowGroups root
Those who are in the “root” group can be able to ssh to the remote
server.
Save and quit the SSH config file. Restart SSH service to take effect
the changes.
$ sudo systemctl restart sshd
Now, the users sk, ostechnix or all the users under the group “root” are
allowed to ssh into your remote server. The other users (except sk, ostechnix
and users of “root” group) can’t.
If you try to ssh to the remote server using any one of non-allowed
user, you will get the following error message:
Permission denied, please try again.
Now, let us go ahead and see how to deny/disable ssh access to a
particular user or group.
Deny SSH Access to a user or group
To disable or deny SSH access to any
user or group, you need to add/edit the following directives in your remote
server’s sshd_config file.
To deny SSH access to specific user called “sk”, edit sshd_config file:
$ sudo vi /etc/ssh/sshd_config
Add/edit the following line in sshd_config file.
DenyUsers sk
Similarly, to deny SSH access to multiple users, specify the usernames
with space separated as shown below.
DenyUsers sk ostechnix
To deny SSH access to an entire group,
for example root, add:
DenyGroups root
Save and quit the ssh config file. Restart ssh service to take effect
the changes.
$ sudo systemctl restart sshd
if you try to ssh to server using denied users, for example sk:
ssh sk@192.168.1.150
You will get the following message:
sk@192.168.1.150's password:
Permission denied, please try again.
sk@192.168.1.150's password:
More importantly you should disable
Root user login too. Root ssh access is
considered a bad practice in terms of security.
To disable root ssh login, edit sshd_config file:
$ sudo vi /etc/ssh/sshd_config
Find the following line, Uncomment it,
and set the value to no.
PermitRootLogin no
Restart SSH service. Congrats! You have just disabled the ssh root login.
And, that’s all for now. If you find this guide helpful, share it on
your social, professional networks and support OSTechNix. More good stuffs to
come. Stay tuned!
Happy weekend!
Cheers!!
Change the default SSH port
In this How-To we're going to walk you though changing the
default SSH port on a Linux system.
The Secure Shell (SSH) Protocol by default uses port 22.
Accepting this value does not make your system insecure, nor will changing the
port provide a significant variance in security. However, changing the default
SSH port will stop many automated attacks and a bit harder to guess which port
SSH is accessible from. In other words, a little security though obscurity.
Before getting started, we suggest
you Learn Linux Basics and follow these precautions.
Steps to follow
Step 1
As root, use your favorite text
editor (vi) to edit the sshd configuration file.
vi
/etc/ssh/sshd_config
Step 2
Edit the line which states 'Port 22'. But before doing so,
you'll want to read the note below. Choose an appropriate port, also making
sure it not currently used on the system.
# What
ports, IPs and protocols we listen forPort
50683
Note: The
Internet Assigned Numbers Authority (IANA) is responsible for the global
coordination of the DNS Root, IP addressing, and other Internet protocol
resources. It is good practice to follow their port assignment guidelines.
Having said that, port numbers are divided into three ranges: Well Known Ports,
Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are
those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those
from 1024 through 49151 should also be avoided too. Dynamic and/or Private
Ports are those from 49152 through 65535 and can be used. Though nothing is
stopping you from using reserved port numbers, our suggestion may help avoid
technical issues with port allocation in the future.
Step 3
Switch over to the new port by restarting SSH.
/etc/init.d/ssh
restart
Step 4
Verify SSH is listening on the new port by connecting to
it. Note how the port number now needs to be declared.
ssh
username@hostname.com -p 50683
No comments:
Post a Comment