Manage user accounts

In YaST we create – in addition to the administrator “root” – two new users with restricted rights, i.e. in the standard group “users” and no other group.

  • One of them is the only one allowed to log in remotely, here in the manual it is called “example”.
  • The second account is used for OpenSim and is called “maria” in the examples. This trick makes it possible that you never need to type in the password of “root” in the OpenSim account.

Reason: Who comes with the user account on the server, probably spied out the user password. In such a scenario sudo offers no protection! Therefore, the use of sudo is not allowed here. Of course, this configuration requires discipline to use the root account only for administration purposes and to leave it as soon as possible.

Hardening SSH

Most scripted attacks point to standard ports and users. That is why we change SSH to an unusual port and allow only one specific user ID (without root privileges).

Remark: Please prepare an up to date backup prior to these configuration steps. If you lock yourself out with a faulty SSH configuration, this is irrevocable!
Backstop: Most server hosting companies however offer some means of web based configuration system where you can boot from a rescue system and mount your corrupted root file system to correct the settings. Check with your provider, if they offer similar support.

Caution: Permit the newly configured SSH port in your firewall or once again you will be locked out!

1) In /etc/ssh/sshd_config change the port to the desired value e.g. port 12345.
=> After a successful connection test via the new port, close port 22 in the firewall. Remark: If you use SuseFirewall as opposed to this description, you have to exclude “ssh” from the list of allowed services.

Caution: Before proceeding to the next step, make sure an additional user (without root privileges) already exists or once again you will be locked out! If not done so far, create a new user in Yast (with normal privilegues).

2) In /etc/ssh/sshd_config adjust the following 5 parameters and remove the comment signs in front of them:
=> Parameter LoginGraceTime to “2m” meaning 2 minutes for login attempts
=> Parameter PermitRootLogin to “no”
=> Parameter MaxAuthTries 3 to three login attempts
=> Parameter MaxSessions 1 to max. one simultaneous logged in user
=> Parameter AllowUsers example to the newly configured user (without root privileges)

Remark: The parameter AllowUsers does not exist in the example file, so you must add the AllowUsers line manually e.g. below the others.

=> Reboot the server and try if you can log in using your newly configured user ID. If this fails, restore your backup…
=> Try to login as root.

Remarks: It is still possible to use multiple shell windows. All logins of the same user from the same computer count as one session. You can also change the current user ID using su example (The new user must be a valid account on your system.)

Continued: Configuring the firewall

Scroll to Top