If you're already preventing the use of the root user account across SSH, why not go a step further and explicitly state which users can connect to the server? Perhaps you have a regular non-root admin account you use or one that's already configured with sudo privileges. PermitRootLogin noĬhallenge - your organization has embraced sudo, right? 5. Open the SSH configuration file, and then uncomment the PermitRootLogin line. Once you've established your SSH connection using a standard user account, use su or sudo to elevate your privileges. Send standard user credentials across the network instead of root credentials. Prevent the root user from crossing the network via SSH Uncomment it, and replace the yes value with no. Open the /etc/ssh/sshd_config file in Vim, and then find the line that reads PermitEmptyPasswords. You may have other utilities, such as Pluggable Authentication Modules (PAM), regulating your regular passwords, but it's also a good idea to make sure SSH enforces responsible security settings, too. This seems like a no-brainer, but empty passwords are clearly a bad idea. Any time you make a change to the configuration file, you must restart the service.Ĭhallenge - Is the banner message consistent across all the SSH devices on your network? 3. Note: I'm not going to remind you to restart SSH from this point forward. Save your changes in Vim with :wq and then restart the SSH service: # systemctl restart sshd
You do remember that you can use the forward-slash character in Vim's Command mode to keyword-search a file, right? For example, /banner # vim /etc/ssh/sshd_configįind the line that reads # no default banner path, and then uncomment the next line (it says Banner). Open the sshd_config file in Vim, and find the line that reads Banner. Next, tell SSH to use the banner message. Remove any information that's already in the file. Obviously, you'll want to come up with something specific to your organization. # vim /etc/ Warning! Authorized use only. Then we'll open the sshd_config file and tell it to use the content of as the banner. First, we'll write the banner message in the /etc/ file by using Vim. You can actually provide some pretty good information in banner messages, too. Set a banner messageĪdmittedly, this is as much about legal requirements as anything else, but again, this setting only takes a moment. And who hasn't made a mistake in Vim? # cp /etc/ssh/sshd_config ~/sshd_config_originalĬhallenge - Do you consistently back up configuration files before making major edits? 2. It's easy, takes only a moment, and protects you in case of a mistake when editing the file. This is a common bit of advice, but it's a real one. Linux system administration skills assessmentįirst, back up the configuration file before making major changes.A guide to installing applications on Linux.
0 kommentar(er)
