If you want to ban direct SSH root login on Debian, you need at least one additional user who can log on to the server, in addition to the root user. Use this user to change to the root account.
ATTENTION: If you have not created another user, you lock yourself out of the system!
PermitRootLogin no
Edit the / etc / ssh / sshd_config file and set
PermitRootLogin yes
on
PermitRootLogin no
Then, restart the SSH service
/etc/init.d/ssh restart (alternative: service ssh restart)
Now, user root is no longer allowed to log on directly to the system. You log on as normal to a user and then change with
su
in the root account.
AllowGroups
The AllowGroups parameter also allows you to restrict which users are permitted to log in via SSH.
Excerpt from man sshd_configthis:
- AllowGroups
- This keyword can be followed by a list of group namesPatterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary grouplist matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow / deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
To create a group named sshusers and add a user to this group, run the following commands as root user:
addgroup --system sshusers adduser xyz sshusers
Then configure the following options in / etc / ssh / sshd_config:
LoginGraceTime 30 AllowGroups sshusers PermitRootLogin no StrictModes yes
Then, restart the SSH service
/etc/init.d/ssh restart
Further protection of the SSH server
For more information about securing an SSH server, see the following articles:
0 Comments