i did following step to secure ssh , after re connection , it saying access denied for root ! but password is correct !
what can i do ?!
plz help
thanks



Uncomment and change

#Port 22

to look like

Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)


Uncomment and change

#Protocol 2, 1

to look like

Protocol 2


Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)


Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.


Now restart SSH

At command prompt type: /etc/rc.d/init.d/sshd restart[B]


Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.


[B]Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

now i received email from root@server.mydomain.com
subject : Brute Force Warning for server.mydomain.com

The remote system 80.75.3.175 was found to have exceeded acceptable login failures on
server.mydomain.com. As such the attacking host has been banned from further accessing this system; for
the integrity of your host you should investigate this event as soon as possible.

The following are event logs for exceeded login failures from 80.75.3.175 (all time stamps are GMT +0000):
----
- Executed actions:
/etc/apf/apf -d 80.75.3.175

- Log events from /var/log/secure:
Nov 9 20:00:16 host sshd[6765]: Accepted password for root from 80.75.3.175 port 1381 ssh2
Nov 9 21:39:19 host sshd[9582]: Accepted password for root from 80.75.3.175 port 2353 ssh2
Nov 9 21:42:48 host sshd[9804]: Failed password for root from 80.75.3.175 port 2357 ssh2
Nov 9 21:42:55 host sshd[9804]: Failed password for root from 80.75.3.175 port 2357 ssh2
Nov 9 21:43:26 host sshd[9806]: Failed password for root from 80.75.3.175 port 2358 ssh2
Nov 9 21:44:40 host sshd[9806]: Failed password for root from 80.75.3.175 port 2358 ssh2
----

- Thank you;
root@server.mydomain.com

Did you have a hard time reading your 'steps to secure root', or did you just do it all without looking at what you were actually doing?


Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no


That should answer your question.

now what can i do ?

Welllllllll.... if you created another user and put them in the wheel group like you shoulda before you did this, you can just su - to root and edit the ssh config file... I dont think you did that... so just contact your provider and ask them to go and edit the ssh file for you and change PermitRootLoginto yes.

xcage
i had another account but saying :
Read permission denied: /etc/ssh/sshd_config

yes i should contact my support !
thanks
:(

this was my first expreience :) read curefully ! before doing anythings

problem resolved !
not by my host support :)
i just logged with a normal user , and i typed SU and enter root password and fixed sshd_config
;)

I would advise leaving it like it was. Disallowing direct root logins adds extra protection because a hacker has to find your username and password, then find the root password on top of that. I get a ton of attempts on my root logins everyday. Might be a good thing to think about. Just do all your server admin through su.

rather then "fixing" sshd config get into the habit of logging in as someone else and then using su, its a layer of security.

u2mike
yes but now my ssh useing another Ip with another port,
now what they can do ?
hacker dont know my ip and port !
if i have 10 ip , hacker must test 10ip*49151port=491510 times!
491510 times to check , just for finding my real port and ip !

Originally posted by artin1982
u2mike
yes but now my ssh useing another Ip with another port,
now what they can do ?
hacker dont know my ip and port !
if i have 10 ip , hacker must test 10ip*49151port=491510 times!
491510 times to check , just for finding my real port and ip !

You do not want to enable root login directly. You should leave it disabled and log in as a regular user and su - to use root.

And you should only bind SSH to one IP on your machine, not all of them.

Or if you want to enable direct root login leave the current setup (su to root) and use secure key authentication to a different port. Requires running a second ssh daemon.