Root Lockdown

From Acenet Knowledgebase
Jump to navigation Jump to search

For Cloud and Dedicated servers, it is strongly recommended to lockdown access to both SSH and the Root user account to specific IP addresses.


Lockdown SSH by IP Address

We will start by locking down SSH on your server by explicitly allowing IPs that need to connect.

This is strongly recommended to help prevent brute force attempts on your server. Clients of yours would need to be explicitly added to the /etc/hosts.allow to by allowed to connect to SSH.

Step 1, Edit the /etc/hosts.allow file to explicitly allow logins both Acenet and your IP addresses. Include your public IP Address to allow yourself to access the server.

<syntaxhighlight lang="bash">pico /etc/hosts.allow</syntaxhighlight>

<syntaxhighlight lang="bash">

  2. Acenet Support

sshd : 207.45.190.2 sshd : 209.124.44.250 sshd : 209.124.44.251 sshd : 207.45.186.10

  2. cPanel Support
  3. sshd : 208.74.121.100
  4. sshd : 208.74.121.101
  5. sshd : 208.74.121.102
  6. sshd : 208.74.121.103
  7. sshd : 208.74.125.2
  8. sshd : 69.175.92.60

</syntaxhighlight>

Step 2, Edit the /etc/hosts.deny file to deny all other IP addresses.

<syntaxhighlight lang="bash">pico /etc/hosts.allow</syntaxhighlight>

<syntaxhighlight lang="bash"> sshd : ALL whostmgrd : ALL </syntaxhighlight>


Lockdown ROOT login to the server.

Step 1, Edit the /etc/pam.d/sshd file and add the following to the top of the list, just under the commented out PAM header line.

<syntaxhighlight lang="bash"> account required pam_access.so </syntaxhighlight>


Step 2, Edit the /etc/security/access.conf file, and edit the bottom of the file to allow root login for an IP Address. Add your IP to the list at the end of the Acenet IPs to allow yourself to connect.

<syntaxhighlight lang="bash"> + : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6

  1. Add root access for Acenet

+:root:207.45.190.2 # Acenet +:root:209.124.44.250 # Acenet +:root:209.124.44.251 # Acenet

  2. Add root access for cPanel
  3. +:root:208.74.121.100 # cPanel
  4. +:root:208.74.121.101 # cPanel
  5. +:root:208.74.121.102 # cPanel
  6. +:root:208.74.121.103 # cPanel
  7. +:root:208.74.125.2 # cPanel
  8. +:root:69.175.92.60 # CloudLinux
  10. Remove root access for everyone else

-:root:ALL

</syntaxhighlight>


At this point, non-authorized IP Addresses should be denied access via SSH, and root login is only possible from certain IPs.

Retrieved from "https://kb.acenet.us/index.php?title=Root_Lockdown&oldid=1995"