Root Lockdown

From Acenet Knowledgebase
Jump to: navigation, search

For Cloud and Dedicated servers, it is strongly recommended to lockdown access to both SSH and the Root user account to specific IP addresses.


Lockdown SSH by IP Address

We will start by locking down SSH on your server by explicitly allowing IPs that need to connect.

This is strongly recommended to help prevent brute force attempts on your server. Clients of yours would need to be explicitly added to the /etc/hosts.allow to by allowed to connect to SSH.

Step 1, Edit the /etc/hosts.allow file to explicitly allow logins both Acenet and your IP addresses. Include your public IP Address to allow yourself to access the server. 

pico /etc/hosts.allow

################
# Acenet Support
################
sshd : 207.45.190.2
sshd : 209.124.44.250
sshd : 209.124.44.251
sshd : 207.45.186.10

###############
#cPanel Support
###############
#sshd : 208.74.121.100
#sshd : 208.74.121.101
#sshd : 208.74.121.102
#sshd : 208.74.121.103
#sshd : 208.74.125.2
#sshd : 69.175.92.60

Step 2, Edit the /etc/hosts.deny file to deny all other IP addresses. 

pico /etc/hosts.allow

sshd : ALL
whostmgrd : ALL


Lockdown ROOT login to the server.

Step 1, Edit the /etc/pam.d/sshd file and add the following to the top of the list, just under the commented out PAM header line. 

account    required     pam_access.so


Step 2, Edit the /etc/security/access.conf file, and edit the bottom of the file to allow root login for an IP Address. Add your IP to the list at the end of the Acenet IPs to allow yourself to connect. 

+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
# Add root access for Acenet
+:root:207.45.190.2 # Acenet
+:root:209.124.44.250 # Acenet
+:root:209.124.44.251 # Acenet

#
# Add root access for cPanel
#+:root:208.74.121.100 # cPanel
#+:root:208.74.121.101 # cPanel
#+:root:208.74.121.102 # cPanel
#+:root:208.74.121.103 # cPanel
#+:root:208.74.125.2 # cPanel
#+:root:69.175.92.60 # CloudLinux
#
# Remove root access for everyone else
-:root:ALL


At this point, non-authorized IP Addresses should be denied access via SSH, and root login is only possible from certain IPs.

Retrieved from "https://kb.acenet.us/index.php?title=Root_Lockdown&oldid=1995"