Any web hosting provider would like to secure SSH root access on their dedicated web servers, to achieve this, my little contribution to you all. I hope this helps you all.
Add a user on the dedicated server
To begin, SSH into your server as root. Once you’re logged in, you should see a shell prompt similar to:
The command to add a user is as below. I will be using the username as “support”.
root@server[~]# /usr/sbin/adduser support
Once the user is added you can verify by using the below command:
root@server[~]# cat /etc/passwd | grep support
Set a password for the user (support)
Use the below command to set password for the user “support”:
root@server[~]# passwd support
Note: Make sure you pick a secure password which will consist between 6-8 characters, and will contain letters, numbers, and punctuation marks.
To make sure this user account that you have created works, open another SSH window and proceed to log in with the user “support”. Once you’ve successfully verified that this account works, you may exit the session.
Verifying su’s command permissions, and ownership
Verifying “su” command is owned by root and the wheel group is suggested. At the same time check the permissions are set correctly.
This can be checked by the below command:
root@server [~]# ls -la /bin/su
The output should be:
-rwsr-x--- 1 root wheel 61168 Nov 18 07:17 /bin/su*
If the output is as above you can skip this below command:
Su user ownership, permission can be set by the below command:
root@server [~]# chmod 4750 /bin/su
root@server [~]# chown root:wheel /bin/su
Now, add the user to the wheel group
We will have to add our new user “support” to the wheel group in order to allow it to gain root access, with *NO* root privileges. That means that this user will be able to log into the server, but won’t be able to perform any root tasks until the user switches to the root user.
In SSH you have to type the below command:
root@server[~]# /usr/sbin/usermod –G wheel support
Before proceeding, re-login to your server using the “support” account. At the SSH prompt, type “su” followed by the Enter key, and then enter in the root password. If you were successful, you should be at a root prompt:
To confirm that you are root, at the SSH prompt type the command whoami , which should display your root account.
Editing the sshd_config file, and restarting SSH daemon
Now we have to disable direct root access to your dedicated web server. Use the below command:
Scroll down until you see the following come across the screen:
#LoginGraceTime 600 #PermitRootLogin yes #StrictModes yes
To disable SSH root login, remove the hash symbol (#) before PermitRootLogin , and change the “yes” next to PermitRootLogin to “no” so now it looks like:
#LoginGraceTime 120 PermitRootLogin no #StrictModes yes
Note: If you see the value of LoginGraceTime different from my value of 120, you do not need to worry as it does not affect the functionality.
Restarting SSH daemon
Finally, to make the changes take effect, you have to restart SSH by running the following command (as root):
root@server [~]# service sshd restart
Best of luck!
This article is released by SupportFacility.Com — the leaders in providing outsourced technical support, live chat support & help desk support for web hosts. Interested ? Opt for a trial now.