{"id":1156,"date":"2017-10-23T11:30:04","date_gmt":"2017-10-23T08:30:04","guid":{"rendered":"https:\/\/community.virtono.com\/?p=1156"},"modified":"2020-06-10T16:46:25","modified_gmt":"2020-06-10T13:46:25","slug":"ssh-root-forbid-login-under-debian","status":"publish","type":"post","link":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-root-forbid-login-under-debian\/","title":{"rendered":"SSH root forbid login under Debian"},"content":{"rendered":"<p>If you want to ban direct SSH root login on Debian, you need at least one additional user who can log on to the server, in addition to the root user.\u00a0Use this user to change to the root account.<\/p>\n<p><b>ATTENTION:<\/b>\u00a0If you have not created another user, you lock yourself out of the system!<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_73 counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-root-forbid-login-under-debian\/#PermitRootLogin_no\" title=\"PermitRootLogin no\">PermitRootLogin no<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-root-forbid-login-under-debian\/#AllowGroups\" title=\"AllowGroups\">AllowGroups<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-root-forbid-login-under-debian\/#Further_protection_of_the_SSH_server\" title=\"Further protection of the SSH server\">Further protection of the SSH server<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"PermitRootLogin_no\"><\/span><span id=\"PermitRootLogin_no\" class=\"mw-headline\">PermitRootLogin no<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Edit the \/ etc \/ ssh \/ sshd_config file and set<\/p>\n<pre>PermitRootLogin yes\r\n<\/pre>\n<p>on<\/p>\n<pre>PermitRootLogin no\r\n<\/pre>\n<p>Then, restart the SSH service<\/p>\n<pre>\/etc\/init.d\/ssh restart (alternative: service ssh restart)\r\n<\/pre>\n<p>Now, user root is no longer allowed to log on directly to the system.\u00a0You log on as normal to a user and then change with<\/p>\n<pre>su\r\n<\/pre>\n<p>in the root account.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"AllowGroups\"><\/span><span id=\"AllowGroups\" class=\"mw-headline\">AllowGroups<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The AllowGroups parameter also allows you to restrict which users are permitted to log in via SSH.<\/p>\n<p>Excerpt from\u00a0<code>man sshd_config<\/code>this:<\/p>\n<dl>\n<dd><cite>AllowGroups<\/cite><\/p>\n<dl>\n<dd><cite>This keyword can be followed by a list of group namesPatterns, separated by spaces.\u00a0If specified, login is allowed only for users whose primary group or supplementary grouplist matches one of the patterns.\u00a0Only group names are valid;\u00a0a numerical group ID is not recognized.\u00a0By default, login is allowed for all groups.\u00a0The allow \/ deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.<\/cite><\/dd>\n<\/dl>\n<\/dd>\n<\/dl>\n<p>To create a group named sshusers and add a user to this group, run the following commands as root user:<\/p>\n<pre>addgroup --system sshusers\r\nadduser xyz sshusers\r\n<\/pre>\n<p>Then configure the following options in \/ etc \/ ssh \/ sshd_config:<\/p>\n<pre>LoginGraceTime 30\r\nAllowGroups sshusers\r\nPermitRootLogin no\r\nStrictModes yes\r\n<\/pre>\n<p>Then, restart the SSH service<\/p>\n<pre>\/etc\/init.d\/ssh restart<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Further_protection_of_the_SSH_server\"><\/span><span id=\"Weitere_Absicherung_des_SSH_Servers\" class=\"mw-headline\">Further protection of the SSH server<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>For more information about securing an SSH server, see the following articles:<\/p>\n<ul>\n<li><a href=\"https:\/\/wp.me\/p7ISfL-ix\" target=\"_blank\" rel=\"noopener\">SSH Login under Debian with fail2ban<\/a><\/li>\n<li><a href=\"https:\/\/wp.me\/p7ISfL-iF\" target=\"_blank\" rel=\"noopener\">SSH Key Login<\/a><\/li>\n<\/ul>\n<pre><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>If you want to ban direct SSH root login on Debian, you need at least one additional user who can log on to the server, in addition to the root user.\u00a0Use this user to change to the root account. ATTENTION:\u00a0If you have not created another user, you lock yourself out<\/p>\n","protected":false},"author":4,"featured_media":1163,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[3],"tags":[],"class_list":["post-1156","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorial-how-to"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/ssh_installer_2.jpg?fit=638%2C478&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-iE","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":1157,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-key-login\/","url_meta":{"origin":1156,"position":0},"title":"SSH Key Login","author":"Shreyash Sharma","date":"October 24, 2017","format":false,"excerpt":"Note:\u00a0This article applies to older SSH versions (SSH version 1).\u00a0For the latest information on SSH key logins, see\u00a0OpenSSH Public Key Authentication under Ubuntu\u00a0. SSH Config for SSH Key customize On the remote server, the \/ Etc \/ ssh \/ sshd_config to be edited.\u00a0Change the following values: current: RSAAuthentification yes New:\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/public-key-auth-workflow.png?fit=632%2C696&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/public-key-auth-workflow.png?fit=632%2C696&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/public-key-auth-workflow.png?fit=632%2C696&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":1149,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-login-under-debian-with-fail2ban\/","url_meta":{"origin":1156,"position":1},"title":"SSH Login under Debian with fail2ban","author":"Shreyash Sharma","date":"October 22, 2017","format":false,"excerpt":"The tool\u00a0fail2ban\u00a0,\u00a0written in Python,\u00a0aims to secure server services against DoS attacks.\u00a0It checks log files for predefined patterns and temporarily blocks the corresponding IP addresses if the failed access is repeated.\u00a0This article shows you how to back up a Debian-based server with fail2ban.\u00a0The deployed version of fail2ban is\u00a00.9.6-2\u00a0under\u00a0Debian 9.1\u00a0. Problem In\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/fail2ban-logo2.png?fit=459%2C441&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3176,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-change-ssh-port-on-linux-or-unix\/","url_meta":{"origin":1156,"position":2},"title":"How to Change SSH Port on Linux or Unix","author":"George B.","date":"April 6, 2023","format":false,"excerpt":"By default, SSH listens on port 22, if you want to change SSH port to a non-standard port can help enhance server security by making it harder for attackers to find and exploit SSH vulnerabilities. In this article, we will walk through the process of changing the SSH port on\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Change-SSH-Port-on-Linux-or-Unix.png?fit=600%2C340&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Change-SSH-Port-on-Linux-or-Unix.png?fit=600%2C340&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Change-SSH-Port-on-Linux-or-Unix.png?fit=600%2C340&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":3330,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-set-up-ssh-keys-on-ubuntu-20-04\/","url_meta":{"origin":1156,"position":3},"title":"How to Set Up SSH Keys on Ubuntu 20.04","author":"George B.","date":"April 27, 2023","format":false,"excerpt":"In this tutorial, we will learn how to set up SSH keys on Ubuntu 20.04. Secure Shell (SSH) is a protocol used to securely connect to a remote server or computer. It provides a secure way to transfer files, execute remote commands, and manage remote systems. SSH keys are a\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Set-Up-SSH-Keys-on-Ubuntu-20.04.png?fit=600%2C330&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Set-Up-SSH-Keys-on-Ubuntu-20.04.png?fit=600%2C330&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Set-Up-SSH-Keys-on-Ubuntu-20.04.png?fit=600%2C330&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":497,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-change-the-ssh-port-for-your-linux-based-server\/","url_meta":{"origin":1156,"position":4},"title":"How to Change the SSH Port for Your Linux Based Server","author":"Daniel Draga","date":"August 20, 2016","format":false,"excerpt":"Logging in, you might have noticed this, sometimes: \u00a0 You will notice that whenever you leave ssh on the standard port, attempted logins fill up your authorization logs. Changing to a different port will make it less frequent.This is because the vast majority of people hunting for any open ssh\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/Change-SSH-port-with-WHM-min.jpg?fit=800%2C450&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/Change-SSH-port-with-WHM-min.jpg?fit=800%2C450&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/Change-SSH-port-with-WHM-min.jpg?fit=800%2C450&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/Change-SSH-port-with-WHM-min.jpg?fit=800%2C450&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1158,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/openssh-public-key-authentication-under-ubuntu\/","url_meta":{"origin":1156,"position":5},"title":"OpenSSH public key authentication under Ubuntu","author":"Shreyash Sharma","date":"October 24, 2017","format":false,"excerpt":"This article shows how\u00a0SSH access is\u00a0configured\u00a0for\u00a0public-key\u00a0authentication\u00a0.\u00a0To do so, a key pair is created on the client, the public part of the keys are transferred to the server, and the server is set up for key authentication.\u00a0The user can log on to the server without a login password, only the password\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/1156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=1156"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/1156\/revisions"}],"predecessor-version":[{"id":1164,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/1156\/revisions\/1164"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/1163"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=1156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=1156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=1156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}