Technology growth is rapid, implementing solutions without proper restriction would cause data leak, cyberattacks. First line of defence for any solution would be its users. Granting granular privilege and role based access is one of the critical task that should be implemented.
SSH is Secure SHELL protocol works on port 22. In Linux, Users over remote connect to administer and manage daily activities on the server. There are multiple security ways of handling user access. In this blog I will be writing how we will restrict SSH access to server.
Create a Group in Linux that will contain all the users who will be provided SSH access to the server.
#groupadd ssh-users
You can also specify a group id for this group and maintain it across your environment to manage it with config automation tools like ansible and others in a large scale in future.
#groupadd -g 3000 ssh-users
Create user and add to the ssh-users group
# useradd -c "SSH Allowed user" -m -d /home/karthick -s /bin/bash -aG ssh-users karthick
where,
-c is comment for a administrator to identify what user or a brief about the user.
-d is mention home directory of the user
-s is login shell that the user will be using.
-a is to append user to the mentioned group
-G is to add user to the secondary groups mentioned.
SSH Restriction
Edit the sshd_config file under /etc/ssh/sshd and add the following line in the end.
AllowGroups ssh-users
Restart the sshd service.
#systemctl restart sshd
Now, ssh will be restricted to all users, except for those who are added in this ssh-users group.
Ansible Automation
I have written a sample ansible play to automate these tasks in my git - SSH-Restriction
Best Practices:
Never allow any Privileged/Admin accounts Remote SSH Access.
Always provide SSH access to normal user and then allow sudo escalation or su to privileged user with password.
References:
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_handlers.html
OS:
RHEL, SUSE Linux, Centos
