Question : Following security audits, the xFusionCorp Industries security team has rolled out new protocols, including the restriction of direct root SSH login.
Your task is to disable direct SSH root login on all app servers within the Stratos Datacenter.
Please Note :- Perform the below commands based on your question server, user name & other details might differ . So please read task carefully before executing. All the Best 👍
Solution:
1. At first login to one of the App server ssh tony@stapp01
thor@jump_host /$ ssh tony@stapp01 The authenticity of host 'stapp01 (172.16.238.10)' can't be established. ECDSA key fingerprint is SHA256:8gbDU2yvj4ePwnTM4S/7yX2IhNGXvei+SRsoArApmhE. ECDSA key fingerprint is MD5:42:78:49:e0:3f:b4:e4:b9:96:40:c9:9c:9c:ca:d6:b0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'stapp01,172.16.238.10' (ECDSA) to the list of known hosts. tony@stapp01's password: [tony@stapp01 ~]$ sudo su - Administrator. It usually boils down to these three things: #2) Think before you type. #3) With great power comes great responsibility. [root@stapp01 ~]# |
2. Edit the /etc/ssh/sshd_config file and correct the changes as per below
[root@stapp01 ~]# cat /etc/ssh/sshd_config | grep PermitRoot #PermitRootLogin yes # the setting of "PermitRootLogin without-password". [root@stapp01 ~]# |
Replace the #PermitRootLogin yes to PermitRootLogin no
[root@stapp01 ~]# vi /etc/ssh/sshd_config [root@stapp01 ~]# cat /etc/ssh/sshd_config | grep PermitRoot PermitRootLogin no # the setting of "PermitRootLogin without-password". [root@stapp01 ~]# |
3. Restart service: systemctl restart sshd && systemctl status sshd
[root@stapp01 ~]# systemctl restart sshd && systemctl status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-06-11 14:05:14 UTC; 5ms ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 139 (sshd) CGroup: /docker/061bee497c9084d31ff314a7186dbe055422f2a00f3541f71876cef7ab815dfd/system.slice/sshd.service ├─ 81 sshd: tony [priv] ├─ 83 sshd: tony@pts/0 ├─ 84 -bash └─139 /usr/sbin/sshd -D
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com sshd[139]: WARNING: 'UsePAM no' is not supported in Re...s. Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[139]: Executing: /usr/sbin/sshd -D Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com sshd[139]: Server listening on 0.0.0.0 port 22. Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com sshd[139]: Server listening on :: port 22. Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: Got notification message for unit sshd.service Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: sshd.service: Got notification message fro...1) Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: sshd.service: got READY=1 Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: sshd.service changed start -> running Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: Job sshd.service/start finished, result=done Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: Started OpenSSH server daemon. Hint: Some lines were ellipsized, use -l to show in full. [root@stapp01 ~]# |
Please Note :- I have shown only for stapp01.
Happy Learning!!!!
0 Comments