In this lab, we will look at how to lock down remote access to a Linux host. We will accomplish this by restricting all remote logins for the `root` account as well as restricting SSH access based on account names.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Prevent remote logins from using the `root` account.
In order to prevent remote logins from using the
root
account, we’ll need to edit the/etc/passwd
file. Run the following command:sudo vipw
- select #2 for nano (easiest)
Next, edit the line that starts with
root
and replace/bin/bash
with/sbin/nologin
.Save and exit the
/etc/passwd
file.
- Permit only the `cloud_user` account to connect to the host via SSH.
In order to filter SSH access and only permit the
cloud_user
account to access the host via SSH, we’ll need to edit thesshd_config
file with the following command:sudo nano /etc/ssh/sshd_config
Add the following line to the file just under the second line of the file:
AllowUsers cloud_user
Note: You can also restrict user access by source hostname, IP address, or subnet, like:
AllowUsers cloud_user@10.0.0.0/24 AllowUsers Jhalpert@james.host.int AllowUsers mscott@192.168.55.10
Now, restart the
ssh
service with the following command:sudo service ssh restart