Enable root login from LAN only

Having SSH access to the root account can be catastrophic if someone ever does succeed in breaking into your machine. While the majority of sysadmins turn into rabid wolves upon mention that your machine allows root access, at times it may be necessary.

This should work on any UNIX-based operating system running OpenSSH 4.3p or later. You may determine the version of OpenSSH by using ssh -V.

On Linux, edit /etc/ssh/sshd_config. On Macs, edit /etc/sshd_config. Locate the line that defines PermitRootLogin, uncomment if it is commented out, and change its value to no.

On a separate line, add the following:

Match Address 192.168.2.*,127.0.0.1
      PermitRootLogin yes

This will allow root to login exclusively from your LAN, while denying all attempts from outside.

Tips: Extra security features to go along with this would be:

- Denying usage of 'sudo su'
- Disabling passwordless, guest, or otherwise anauthorized users from using 'su'
- Using the above Match Address syntax to only allow root to login using a publickey, not passwords

No comments:

Post a Comment