Ubuntu Security :: SFTP/SSH Alternative To Root Login?
Oct 20, 2010
On my Ubuntu 8.04.4 LTS webserver I desperately want to disable the Root account. But at the moment I am unable because I prefer to use Nautilus/Dolphin on my home laptop for SFTP. The graphical interface also helps when comparing multiple config files at once, something that being limited to NANO or PICO would make extremely painful. The problem is that if I don't use ROOT I can't perform any SSH or SFTP actions with a graphical interface, because I can't use SUDO without the terminal. Does anyone else leave root enabled? I have a non-standard port, disabled password authentication in favor of ssh keys, and I have a tarpit configured
I've been administrating a dedicated Linux CentOS 5 (Linux 2.6.26.5-rootserver-20080917a) server for around 2 years, and although not a network or Linux expert, been learning to configure as need arises. Primarily using Plesk for day-to-day, but occasionally using Putty to SSH into server.
For all the time I've had the server, I've been connecting to my server via sFTP using "root" password. ( Although, I know this is really bad practice, I assume made safer by connecting with SSH FTP)
After spending another normal day in the office developing websites, connecting to my server as root using SFTP in Filezilla AND Dreamweaver I left for the night.
Returned next morning, after having done no manual updates or amends to my server; I could no longer SFTP into my server?
Thought it may be related to my office network, so tried it from home over the weekend, same result; can no longer connect SFTP for root?
I can connect to the server via Putty using my "root" username and password.
After spending hours looking on the internet for a solution, I'm lost for ideas as I didn't make any changes?
What happens when I open my Filezilla and try connecting as SFTP is it states:
Error:Connection timed out Error:Could not connect to server
I checked server log /var/log/secure and it states:
Accepted password for root from UNKNOWN port 49212 ssh2 Apr 9 07:41:41 s15320264 sshd[7122]: fatal: Write failed: Connection reset by peer
Odd part is, it's worked fine for weeks, months without ever failing to connect?
Also, notice that Putty connection seems to take much longer to authenticate root user than it used to?
Checked via Plesk Health Monitoring and all CPU, Memory and Disk Levels are well below any alarm levels.
I have run all Plesk updates to 10.2.0 in the hope that it resolved it, but to no avail.
Whenever I login as root, an e-mail with the subject "Security information" is sent outwhere the e-mail address for this message is configured? I need to change it (or perhaps disable it).
I've recently installed 64bit version of ubuntu 9.10 but the GDMsetup doesn't seem to be working as it was in 9.04 i mean to say when you type gdmsetup at console the login window pops up where i can check the check-box "Allow local administrator log in" under security tab. to enable login as root. since it is not working i've to type password every time when i install a package or create a folder in root directory or mount a drive which is quite irritating how can i login as root in gui mode etc... also is there some syntax which i can put into /etc/gdm/custom.conf so i can log in as root....
It's my personal computer, no other users, no one else in the house. I'm behind a separate stand alone firewall (Checkpoint device). I'm the admin on my machine and I'm going to enter sudo, or login as root, every time I need it anyway.
There's no way that having to switch to root is going to make me stop and think about what I'm getting ready to do. In fact it's quite the opposite. If I'm in the midst of troubleshooting, I'm preparing to enter a command that I think is going to work, and I get "Permission denied"... The aggravation is more likely to reduce my logical thinking, and I'll immediately switch to root and type it anyway.
I DO understand the rational of setting users (even admin users) to a lower permission level. However I don't understand the lack of a command to make a user PERMANENTLY root equivilent. Switching back and forth is a waste of time. AND it means that I now have to deal with two home directories... /root and /home/user. Having to type sudo, or su to switch to root, does not protect my system. It only aggravates.
Is there anyway to have a different password for login and root? For example, my account is Bratu. I want a login password: ABCD and my root password: EFG
I'm trying to turn off SSH root login on Ubuntu 10.10. However, changing PermitRootLogin=no (/etc/ssh/sshd_config) do not work. Here is the sshd_config:
Found a major security hole in one of my more crucial linux servers today. (Only locally) I can use the user name "root" and any string for the password. So I can literally type "poop" as the password and the server lets me in. I know how to set root password settings for SSH and sudo, but where are settings located for local access that would allow something like this?
how to enable direct login of root via ssh?I find and info that i just need to update /etc/ssh/sshd_config, but i couldn't see that file in the location.
Can't seem to do it, wondering if anyone knows how? Normally there's something in sshd_config that can be switched to true or yes to allow root login but I can't see it in fedora 12.I can login via root at a terminal no problem, just not via ssh, I get access denied every time. Also, I need to login using password authentication.I've done: 227169 but that's just for GUI which I don't really need since I rarely ever log into the GUI.I have also searched through here and mostly only found info such as above, how to enable root login for GUI, or billions of posts about how logingin as root is bad but I cannotswer to my question.DISCLAIMER: Please do not reply to this thread if all you can contribute is the question of why I need root or to put some message telling me I can do everything using su, etc, etc. Please only contribute if you can answer my question. A: My machine and a valid quesiton. B: Spirit of Linux is open, not restrictive
I have a habbit of openning a 2 sessions of xwindow (I'm using KDE), one as user to browse the internet and the other as root to do some admin work. But someone told me that login to KDE as root is bad in terms of security. Is this true?
I want to count the failure root login attempts so that do an action when the user faild to login as root for three consecutive times (like log a line in syslog).
For a month or so now, I have been enabling ssh and opening port 22. I cron'ed the start and stop commands to leave them open only a few hours a day. After a bit, I checked my logs to find that some IP or another was attempting to brute force my root account.
I took little real threat by the offense.
(1) my system does not allow root to login and
(2) it would cut them off sooner than later when my system issued the stop command.
fast forward
Today I log in to find that all of my log files, as viewed from the gnome log file viewer, were empty of entries from about noon yesterday and prior.
Though I haven't noticed anything at all out of the ordinary with my system, I would like to get more opinions on the matter. Would there be any conceivable way that this was an automatic system routine, a clean up action of something? Additionally, if I was indeed the victim of a hack, what can I do to further protect my system (keeping in mind that I do want to access my system via ssh from time to time)?
I get the problem to acess root password when i am in user login, means wahen i am in user login and want to install software from terminal then he asked root password, when i supplied root password but he give me login incorrect.
How to enable Root login...i cant copy or move something on the HDD...I have administrator rights and password for root but i cant change permissions for the HDD without login on root and root login are not allowed .
I have an ftp server and normal login works fine as well as ftps but for some reason sftp sends all my accounts to the root directory of the entire server (not good). Been searching around but can't find a fix.
I've made an SSH server using OpenSSH on my desktop Ubuntu (10.4) for tunneling. However, I'm noticing that the public account I made for my SSH (one to give to friends to use proxy) has SFTP access to crucial system files. I'm okay with SFTP being enabled on my account, but not on this public account. Does anyone know of anyway to either disable SFTP to that user, or restrict access to important files?
This is my first thread ever to make on the linux forum, and I just began using linux Ubuntu Lucid for my server. Please bare with me because I think I am questioning such a basic question. How do you give sftp root privilege to user? I've made group "admin" and made 2 users under that group. Trying to upload a file onto a server using SFTP with one of the user and it fails and says "Permission denied."
I gave full sudo/root permission to the group "admin" from /usr/sbin/visudo I mainly use Tranmit4 but I also have filezilla. Or is there a way to run sudo command on either ftp client application?
allow sftp access to my Ubuntu system (happens to be desktop as it's also my main system) using accounts that are not able to login normally. (I have already managed to create such accounts.) These accounts need to be chrooted (also already accomplished with the openssh daemon settings.) Where I run into problems is that I want to give them (read only) access to files outside the chroot (on another partition in fact) and the matter if made more difficult because the directories to be shared are on NTFS-3G partitions (as they are a shared linux / windows storage drive). Is this possible and if so, what do I need to do?
Edit - Forgot to include versions Ubuntu 10.10 openssh 1.5.5p1-4ubuntu4 (the one that comes with 10.10)
I'm running an SFPT server which my clients logon to using an FTP client. at the moment each client has a user name and password.
Thus far to improve security I've disabled root login but an looking for futrhrt ways to protect it from attack, having researched using google some of the security features suggested prevent the FPT clients from connecting.
Questions: 1- what further things can i do to secure my server that still allows it to be usable for FTP clients? 2- specifically is it possible to use non login pre-share key authentication?
I have tried, to set this up, but failed what kind of ftp would you guys recomend, as i have been having slight problems over recent days, with unknowns logging onto my annon ftp server, delt with mind.
I am thinking about a proper login even for the annon account, fairly easy to setup.
I've not been having any luck at all finding the answer to this, so thought I'd ask here: is there any way to get my servers to send an email when someone logs in through SFTP? I was able to get that to work with SSH using a simple bit of script in /etc/profile, but I can't find anything on Google about doing that with SFTP at all.
The OpenSSH version on my server is 5.2p1 running on FreeBSD 8.0. Any way to get the server to execute any command on SFTP login will be enough for me to get this set up.
right now i have vsftpd server installed for FTP access. I originally set it up for both FTP and SFTP, but found that SFTP disregarded any and all permission settings and user jailing that i had set up... so I am switching to just being standard FTP
so here is what's happening:
i've tried to disable SFTP in the sshd_config file, but i am still able to log into the ftp server under sftp through port 22 (which normally is ssh?) i've tried all kinds of things short of just blocking port 22, however I would prefer to be able to remote into my server via Putty (which has access restriction to ONLY allow my admin user account over ssh)..
