Transcript from the "Disabling the Root User" Lesson
>> Jem Young: Next thing I wanna do now that we're successfully logged in our server, we know our server has or our new user has route access. We're gonna disable route, cuz remember all those people trying to get in, it's never beneficial for them to get in as route. And route is one of the more common username, so they're gonna try to break it as well.
>> Jem Young: First thing we need to do is, actually don't need this change the permissions. But for now we're gonna change permissions, so that it's read and readable by our users. So you're gonna probably sudo chmod 644 and that authorized key file. So I'm gonna do that here, in my server.
[00:00:36] So, we'll see if I need sudo. chmod 644 -/ .ssh/authorized_keys. Cool, didn't need sudo for that one. And we actually did need to do this step, but depending on what your server is set up as, you may need to do it. So I just added it in there for the future, just kinda bullet proofing ourselves.
[00:01:00] And all we're doing is changing that the permissions that file so they're not reading readable by everybody. They're only readable and rattled by sudo, myself, and certain file system daemons, like SSH daemon.
>> Jem Young: Next thing we're gonna do, now we're gonna disable root login. So we're gonna modify our SSH config, or the SSH daemon config on our server itself.
[00:01:17] So sudo vi /etc/ssh/sshd_config. And remember, you can always tab complete and most of this. Let'say sudo vi /etc/ssh/sshd_config, my password. And now we're in the SSH daemon config. The daemon is a program that's always running in the background. And that's what allows us the SSH and we don't need to do anything to start it.
[00:01:52] We don't need to do anything to stop it. It's just constantly running and listening. And we're gonna disable RootLogin.
>> Jem Young: So I'm just gonna edit and switch that to a no. Is there anything else I wanna change in here? PubkeyAuthentication, that's fine. StrictMode, I'll leave it as is for now.
[00:02:17] I don't wanna mess too much with it. But with SSH daemon, you can do lots of things like enable password login, disable password login. Have max retry, so someone can only retry a certain amount of time for just bands them completely for a certain amount of time. Maximum number of times you can be logged in as one user, things like that.
[00:02:36] We're gonna leave that alone for now. A word of caution, anytime you're using sudo means you can do something really dangerous for modifying SSH daemon configuration. You can modify it in such a way that you can lock yourself out of your own server, which would be pretty embarrassing.
[00:02:50] But if that happens to start over again, you'll catch up pretty quickly. It's not the end of the world. These all become a real big deal if you have a production server and you lock yourself out of production serve,r known to get in and yeah [LAUGH] Yes.
>> Speaker 2: You've changed the port.
>> Jem Young: I don't, for the case of this class, but a lot of people they find changing the port is helpful support. SSH is always on port 22 by default. You can change the port to something else. Anything else you want. Well, that's not already being used. Which it helps a little bit with people constantly attacking your server cuz they know SSH on port 22.
[00:03:27] But we call that security above security. You think you're more safe because you're like, my door's actually down here. And you feel safer. But that's not a real thing. There are lessons in the history of security and computing, security above security is the one that will get you in the long run.
[00:03:48] Trying to obscure things, people don't know SSH anything, so they have to know to choose a different port. And also, you'll probably forget what the port is. And honestly you should just be more secure in general, yes?
>> Speaker 2: How is that different than changing the user name, though?
>> Jem Young: From?
>> Speaker 2: From root to whatever you chose, I mean you're making it more obscure. How was it? Why wouldn't it be good to change both the user and the port number?
>> Jem Young: You could and generally when people set up computers a lot of times thet do that.
[00:04:25] Changing the username was not so much for security, so much as we don't wanna be rude. It's just a dangerous place to be and we're gonna have to switch users. Yeah, it helps a tiny, tiny bit. But again, I would not ever say that's for security. It's just because it's a good practice to do.
[00:04:41] But good question. But yeah, security by obscurity is never, never good example. You might even say like I'm gonna set up my server and not put any security on it cuz it's like, who's gonna find it? Someone will find it and they will get it. [LAUGH] I promise you, they will.
[00:04:55] So we're just gonna wq out of here.
>> Jem Young: And the next thing we wanna do is we change the configuration but because that daemon's always running, it's not always checking the config. So we wanna restart that service. So to do that we say sudo service sshd SSH daemon and just add restart.
[00:05:15] You have to login twice, it's okay.
>> Jem Young: So sudo service sshd restart.
>> Jem Young: And now if I did everything correctly I'm gonna try to log in as roots and it won't let me anymore. That means we configured it properly. All right, we're in, we disable the root login.
[00:05:47] I'm feeling better about that. We have root if we ever need to with sudo. But again, we don't wanna do things on root, unless you're just really lazy. You don't wanna type sudo all the time but. Yes.
>> Speaker 2: So we both have System restart required. What do you think that is?
>> Jem Young: It does that every time you run a large update or upgrade, it's gonna say restart your system. What we can do is turn the box off, while we're not actually turned the box off, we're turning our tiny little fraction of a box off. And turn it back on and I'll fix that.
[00:06:17] But for now, it's not that important for now. Later it will be. And later we'll talk about process managers, which means how to get everything you need up and running when you're sort of research versus having to start it manually and then keep it up and running. But that'll be a little bit later.
[00:06:34] But good question. But for now, don't sweat that too much. We have root. If you really want, you can keep doing things as root. I don't recommend it [LAUGH]. You are on your own if you do that.