How to disallow remote root login?

[publicENEMY]

I have successfully share my unraid on the net. Unfortunately, I dont know how many time my unraid root password are guessed per day.

 

I would like to disallow root login from remote. I have created a user that i plan to use remotely. What is the difference between logging with root and another user?

 

Anyway, back to my first question, how do I disallow root login from remote?

 

By remote I mean from internet. I would like to ssh from lan.

 

THanks.

[Squid]

unRaid is not designed to be directly internet facing.  Take it out of your router's DMZ.  If you need services running on it to be accessed from the internet, set up a VPN

 

At the very least, block the ports at the router for services you don't need (ie: 22, 80, etc)

 

 

[JonathanM]

I have successfully share my unraid on the net.

Don't do that.

 

You need to set up a personal point to point VPN if you wish to manage it remotely.

 

Only open ports to specific non-unraid services, like letsencrypt-nginx docker, or other services that are designed to be internet facing.

[kizer]

I WOULDN'T share anything on the Internet. You are simply asking for problems if you share on the net.

If you use unRAID to store important files just remember those files are potentially at risk along with anything that might be on your unRAID machine.

[publicENEMY]

I value any advice you guys gave me. But, could you please tell me how to disallow root login remotely?

 

I already setup VPN, but i found vpn service interfere with my game network system(im unable to play certain games until i disable vpn network device).

 

I did not dmz my unraid. I manually port forward using nonstandard port(map port 12345 for port 80). while the port can be discovered....

 

anyway, i want to disallow root login remotely. how do i accomplished that?

 

thanks.

 

update

using visudo, i added

user ALL=(ALL) ALL

under root.

 

i disable ssh permitrootlogin in ssh settings(unraid webui)

 

unfortunately, i cant remotely shh login using new user. after enabling permitrootlogin, i still cant login using root. it is as if the settings is messed up. i cant remotely login at all.

[ken-ji]

Don't forward port 22 on the unraid server. UnRaid does not have local users that can login via ssh.

 

[publicENEMY]

Don't forward port 22 on the unraid server. UnRaid does not have local users that can login via ssh.

 

what do you mean? before this, i can ssh root login remotely. i use duckdns and port forward ssh port.

 

now i cant login at all remotely.

[ken-ji]

I'm sorry if I misunderstand you.

 

unRaid doesn't have normal users which can be allowed to login (unless you really hack up the system)

thus only root can login via ssh. From the remote side, this is a security risk as you will certainly get hacked in a matter of time.

 

So the only real way to prevent root from login remotely is to prevent remote logins.

So, again, please do not port forward ssh (port 22). You can still login locally (ssh <unraid ip>). and no body can attempt to login from the internet.

 

[publicENEMY]

unRaid doesn't have normal users which can be allowed to login (unless you really hack up the system)

thus only root can login via ssh.

 

This I didnt know. I expect I can create a user that I can use for login remotely. But IIRC, limetech(forum user name), did said that he never login using root. so, I wonder how does he login.

 

I guess i just use vpn for login. by the way, why cant i login remotely using root? i revert all the changes that i made before(permitrootlogin and add new user with root privilege at visudo)

 

thanks.

[ken-ji]

surefire way to reset your changes is to restart the server. unRaid lives on  a ramdisk and unless you've been adding/running stuff to copy the config changes back to the correct places in the flash drive, the reboot will give you unRaid before you made manual changes to the configs (WebUI changes not withstanding)

 

normal ways of restrict root login via ssh is to:

* disallow via permitrootlogin=no in /etc/ssh/sshd_config and having normal users login. (but normal users normally don't exist in unraid)

* disallow ssh password logins and require key files or certificates to login ( doable )

* ip whitelisting via iptables (I really don't advise this)

* ip whitelisting via the router (still a rather difficult way)

 

Still, it is not recommended to allow the internet to access to your unraid (at least not directly over ssh or webui). if you must, use a inbound VPN.

 

Me, I have a private VPN with a VPS, and my VPS will only accent key logins over ssh. From there I can login to my unRaid server as if i was local

[trurl]

... Unfortunately, I dont know how many time my unraid root password are guessed per day...

Since nobody directly addressed this I will. I would say the answer is literally thousands of times per day and even if they are unsuccessful for a while it will degrade your server's network performance. And they won't give up.

 

The fact that you even ask makes me think that you don't know how these things are done. This kind of attack is completely automated these days. Lots of bots from all over the world will constantly keep trying to get in. Nobody even has to do any work to make this happen. They just wait for their bots to announce success.