Linux Router – Setting up SSH and PAM (3/3 – optional) – RHEL 7 / CentOS 7
Read:
In this video, I show you how to setup PAM security to prevent SSH users to login as root, as well as test it. I also show you how to change the SSH port and add it to the iptables rules (OPTIONAL!). Also note, anything I do in this, it may be deemed as non-secure in some ways. Well, I’m perfectly aware of that. I’m just showing how to do specific things. Security is the next step, and can be read up on.
This tutorial and others at: https://linuxguideandhints.com
If you want a truly secure SSH ability, you may want to read this as a reference… http://fedorasolved.org/post-install-solutions/securing-ssh . I do not cover this.
Notes:
If you use debian or anything debian based, I cannot help you.
Prerequisites:
-You followed the first two videos
-DHCP and IPTABLES concepts understood and completed on your server
You can follow along completely if you use these distributions:
–Fedora 20+
–CentOS 7
Commands to note:
vi — It’s an editor in linux. i for insert, o for a new line, shift+g to go to the end of the file, ESC for command mode. :wq saves your file (zz does too).
systemctl restart name –name being the name of the service
ssh –Secure Shell. Allows a machine to remotely access another with encryption.
useradd –Adds a user
passwd –Changes the password for a user (if typed without a username, it changes the password of the current logged in user)
usermod — Changes user information
Files/Folders to note:
/etc/ssh/sshd_config :: Where the SSH configuration is stored.
/etc/sysconfig/iptables :: Iptables rules.
/etc/pam.d/su :: Where su settings are stored for PAM.
Look for MaxAuthTries in sshd_config… You may want to uncomment it and lower that number.
FAQ:
1. I changed the SSH port, but the port is still 22…
A. Make sure to take the # off the line ‘Port’ in sshd_config. And then run “systemctl restart sshd” without quotes.
2. I changed PermitRootLogin yes to no and it still let me log in as root…
A. Take the # off that line. Run “systemctl restart sshd”
3. Do I have to have a ssh port open?
A. No, you don’t. If you want to be completely secure, then yes, you would not allow anyone to shell. The purpose of PAM is to make sure that, if you do leave a SSH port open, no one can password crack the root account.
4. Why can’t I just turn selinux off?
A. www.stopdisablingselinux.com
centos 7