Disable root SSH remote login and modify SSH telnet port in Linux

Source: Internet
Author: User
Tags ssh centos ssh port ssh server

The security of the server is self-evident, the first step in server security setting is to block the portal.

For Linux, blocking the entrance, is not allow others to casually into our servers inside the mess, otherwise an order "RM-RF/", the consequences of unimaginable. So we can't let people into our servers, and we can't let others use the root user. So the best thing to do is:

On Linux, set to prevent root remote logins, and modify the SSH port "because the default port is 22, to set a more layer of obstacles," and then we need to log in, we use a user without permission to log in, Then use the SU command to switch to root or other user with permission to operate.

After doing so, others even know the server's IP, but do not know the port, also do not know what users to log in, brute force can not be cracked.

Take CentOS as an example, set Linux to prohibit root user ssh remote login, use other user login:

1. Log in with root user

2, using the Groupadd command to create a new login group, dedicated to login

# Groupadd Login
3, go to the storage group information file/etc/group inside Check login group to add success, if there is login:x:501 in the output of information: such information, it is successful "the next 501 is not every machine is the same, 501 is the identity ID of this group, Because your server already has a different group, the default is to start from 500, so login is successful.

# Cat/etc/group
4, using the Useradd command to create a new Zhoumanhe user for SSH remote login, belong to the login group, the user directory under the/home/zhoumanhe

# useradd zhoumanhe-g login-g login-d/home/zhoumanhe
5, to store the user information file/etc/passwd Check whether the user added success. If there is zhoumanhe:x:501:501::/home/zhoumanhe:/bin/bash in the output information, the user is added successfully and belongs to the login group "because the ID of the 501,login group is 501"

# CAT/ETC/PASSWD
6, the use of passwd command to Zhoumanhe users to add a login password, just added is not yet set password.

# passwd Zhoumanhe
Changing password for user Zhoumanhe.
New Password:
Retype new Password:
Passwd:all authentication tokens updated successfully.
Particularly serious hint: in fact, the use of Useradd command can also be added directly to the user to set the password, followed by the "-p to set the password" Why independent out, because if you add this directly, stored in the password file inside the password is clear, that is, your password is 123, stored in the password is also 123, by that time the Linux user's login password is to be encrypted, so it may cause the new user to add Linux login failed, and just finished adding users, SU switch to new add users, input passwd change password will also prompt " Authentication token manipulation Error ", because the password must first enter the old password, you enter 123, but the real password is really encrypted, so prompted error. So the friend who appears this problem, can switch to root user, use "passwd user name" To change the password of newly added user. Do you want to see the success? OK, open the file to store the password to see it, use the command "Cat/etc/shadow" view can be, if there is a user name: A long string, that is successful, if you have entered the plaintext password, then modify the password again!
7, such words will be set up successfully. Manage remote login software and try the Zhoumanhe user login you just added.

8. If successful, we can prohibit the remote login of root user.

9, the use of root login in, if it is just added to the Zhoumanhe users, is the direct input Su, enter the password to switch to the root user.

$
$ su
Password:
#
10, this configuration information in/etc/ssh/sshd_config This file, so open this file

# Vi/etc/ssh/sshd_config
11, find Permitrootlogin Yes this sentence, will be changed to No, exit save;

Permitrootlogin No
12, modify the SSH configuration file, so you have to restart the SSH service to take effect, enter the following command to reboot:

# Service Sshd Restart
13, then reuse the SSH software, using the root login to see it, in login as: After the input root, and then enter, let you enter the password, enter the password, is not found that the password is correct, but prompted "Access denied." Indicates that Root has been banned from SSH telnet;

14. Let's change the port CentOS using SSH telnet. or open/etc/ssh/sshd_config this file.

# Vi/etc/ssh/sshd_config
15, find #Port 22 This line, the front of the # removed, into Port 22, and then enter, and then the next line input Port 8888, and then: Wq save exit. "8888 is the port you want to set, change to you want to set on the line, generally changed into a good memory, but can not be used now the port, otherwise there is conflict." 】

#Port 22
#改成如下
Port 22
Port 8888
Does this mean you have two lines of port? Yes, just two lines. 22 that line is used in case of, in order to avoid, we set the other port in case of login, we can also use the 22-port login to change, otherwise there is no 22 port reservation, their newly added that also login not up, that is only .... Contact Customer Service Bar!
16, just we know, modified SSH configuration file, need to restart the SSH server.

17, use just that port login to see it, success? , you can open/etc/ssh/sshd_config again. This file deletes Port 22, and then saves the exit again and restarts the SSH service.

18, here, our "Linux Prohibit root user ssh remote login and modify SSH remote login port," The purpose is achieved. Log in later, use the new port, the new user login bar, log in and then SU switch root or other rights users.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.