ssh 서버에서 루트 직접 로그인 금지

1.직접 방법:
a): ssh 서버 sshd 프로필 수정:/etc/ssh/sshd_config           
                 -bash-3.2# vi/etc/ssh/sshd_config 
                       ...                   PermitRootLogin no                   PermitEmptyPasswords no                       ...

-bash-3.2# cat /etc/ssh/sshd_config#       $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $# This is the sshd server system-wide configuration file.  See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented.  Uncommented options change a# default value.#Port 22#Protocol 2,1Protocol 2#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key# HostKeys for protocol version 2#HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_key# Lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 1h#ServerKeyBits 768# Logging# obsoletes QuietMode and FascistLogging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2m#PermitRootLogin yes         # root ssh  PermitRootLogin no           # root ssh #StrictModes yes#MaxAuthTries 6#RSAAuthentication yes#PubkeyAuthentication yes#AuthorizedKeysFile     .ssh/authorized_keys# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no# similar for protocol version 2#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes#PermitEmptyPasswords noPermitEmptyPasswords no        # ssh PasswordAuthentication yes# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no# GSSAPI options#GSSAPIAuthentication noGSSAPIAuthentication yes#GSSAPICleanupCredentials yesGSSAPICleanupCredentials yes# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication mechanism.# Depending on your PAM configuration, this may bypass the setting of# PasswordAuthentication, PermitEmptyPasswords, and# "PermitRootLogin without-password". If you just want the PAM account and# session checks to run without PAM authentication, then enable this but set# ChallengeResponseAuthentication=no#UsePAM noUsePAM yes# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL#AllowTcpForwarding yes#GatewayPorts no#X11Forwarding noX11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#UseLogin no#UsePrivilegeSeparation yes#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3#ShowPatchLevel no#UseDNS yes#PidFile /var/run/sshd.pid#MaxStartups 10#PermitTunnel no#ChrootDirectory none# no default banner path#Banner /some/path# override default of no subsystemsSubsystem       sftp    /usr/libexec/openssh/sftp-server

b): shh 서버 sshd 재부팅:
명령:
-bash-3.2#/etc/init.d/sshd restart 중지 sshd: [확인] 시작 sshd: [확인] - bash-3.2#
또는:
-bash-3.2# 서비스 sshd restart 중지 sshd: [확인] 시작 sshd: [확인] -bash-3.2#
2. 간접 방법: 루트 사용자 비활성화:
a): 방법1: 특수 사용자를 찾아서 루트 권한으로 올리고 uid,gid를 모두 0으로 바꾸어 루트를 대체합니다.
이어서/etc/passwd 파일에서 루트로 시작하는 줄을 찾습니다. 보통 첫 번째 줄, 앞에 #을 추가하면 루트 사용자를 철저히 비활성화합니다. 이 방법을 추천하지 않습니다.
이 방법은 sudo 기능의 실효를 초래할 수 있습니다. -bash-3.2# vi/etc/passwd#root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindistcache:x:94:94:Distcache:/:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinapache:x:48:48:Apache:/var/www:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinais:x:39:39:openais Standards Based Cluster Framework:/:/sbin/nologinpostgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bashpiranha:x:60:60::/etc/sysconfig/ha:/sbin/nologinoprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologinwebalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologindovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologinsquid:x:23:23::/var/spool/squid:/sbin/nologinmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bashpcap:x:77:77::/var/arpwatch:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinluci:x:100:102::/var/lib/luci:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinavahi:x:70:70:Avahi daemon:/:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologinnamed:x:25:25:Named:/var/named:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinpegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologinricci:x:101:105:ricci daemon user:/var/lib/ricci:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinavahi-autoipd:x:102:106:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologingdm:x:42:42::/var/gdm:/sbin/nologinsabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologinwzb:x:500:500:wzb:/home/wzb:/bin/basharm:x:501:501::/home/arm:/bin/bashvnc:x:502:502::/home/vnc:/bin/bashoggo:x:503:504::/home/oggo:/bin/bashmyadmin:x:504:505::/home/myadmin:/bin/bash-bash-3.2#
 
b): 메서드 2:/etc/shadow 파일 수정
루트에서 시작하는 행수 추가!또는 *,
-bash-3.2#vi/etc/shadow!*root:$1$Bo.eWvgy$GQHyFR2Cbcoyd03jJLbx40:15036:0:99999:7:::bin:*:14917:0:99999:7:::daemon:*:14917:0:99999:7:::adm:*:14917:0:99999:7:::lp:*:14917:0:99999:7:::sync:*:14917:0:99999:7:::shutdown:*:14917:0:99999:7:::halt:*:14917:0:99999:7:::mail:*:14917:0:99999:7:::news:*:14917:0:99999:7:::uucp:*:14917:0:99999:7:::operator:*:14917:0:99999:7:::games:*:14917:0:99999:7:::gopher:*:14917:0:99999:7:::ftp:*:14917:0:99999:7:::nobody:*:14917:0:99999:7:::distcache:!!:14917:0:99999:7:::nscd:!!:14917:0:99999:7:::vcsa:!!:14917:0:99999:7:::apache:!!:14917:0:99999:7:::mailnull:!!:14917:0:99999:7:::smmsp:!!:14917:0:99999:7:::rpc:!!:14917:0:99999:7:::ais:!!:14917:0:99999:7:::postgres:!!:14917:0:99999:7:::piranha:!!:14917:0:99999:7:::oprofile:!!:14917:0:99999:7:::webalizer:!!:14917:0:99999:7:::dovecot:!!:14917:0:99999:7:::squid:!!:14917:0:99999:7:::mysql:!!:14917:0:99999:7:::pcap:!!:14917:0:99999:7:::ntp:!!:14917:0:99999:7:::luci:!!:14917:0:99999:7:::dbus:!!:14917:0:99999:7:::avahi:!!:14917:0:99999:7:::rpcuser:!!:14917:0:99999:7:::nfsnobody:!!:14917:0:99999:7:::hsqldb:!!:14917:0:99999:7:::named:!!:14917:0:99999:7:::sshd:!!:14917:0:99999:7:::pegasus:!!:14917:0:99999:7:::ricci:!!:14917:0:99999:7:::haldaemon:!!:14917:0:99999:7:::avahi-autoipd:!!:14917:0:99999:7:::xfs:!!:14917:0:99999:7:::gdm:!!:14917:0:99999:7:::sabayon:!!:14917:0:99999:7:::wzb:$1$jkCLmVgc$oecHihlY9rFnakl7EoiBN0:14917:0:99999:7:::arm:$1$Jn1yoNIE$x3CyeKQiM2V4wBc6BK2q2.:14936:0:99999:7:::vnc:$1$bNsK/OR/$1iZNUB2CHzb.9zVEerxMa0:15153:0:99999:7:::oggo:$1$QT9I5IaI$cotEAaRTkiupMZJCwUb0s0:15154:0:99999:7:::myadmin:$1$nHIaqNH/$RI633PelKRvtV.YUyxmgU0:15154:0:99999:7:::-bash-3.2#
 
c): 방법 3:passwd 명령을 이용하여
root 사용자 잠그기:sudo passwd -l root
root 사용자 잠금 해제:sudo passwd -u root
3. 요약: 직접적인 방법과 간접적인 방법 세 가지를 추천한다.