# restrict sftp and block ssh except root



## spring_64 (Jan 29, 2017)

Hi all,
I have a sftpgroup and I want the user's of this group only can use sftp and nobody can't ssh.
this is my sshd config:

```
Match Group *,!sftpgroup
   X11Forwarding no
   ChrootDirectory %h
   AllowTcpForwarding no
   ForceCommand internal-sftp
```

Now, I want to root only can ssh to my server. I add another group named sshgroup and add root to this group, but I cannot ssh yet.

Would you please help me to solve this problem.
Thanks.


----------



## SirDice (Jan 30, 2017)

spring_64 said:


> Now, I want to root only can ssh to my server.


Bad idea.




spring_64 said:


> I add another group named sshgroup and add root to this group, but I cannot ssh yet.




```
PermitRootLogin                                                                                                        
             Specifies whether root can log in using ssh(1).  The argument
             must be ``yes'', ``prohibit-password'', ``without-password'',
             ``forced-commands-only'', or ``no''.  The default is ``no''.
             Note that if ChallengeResponseAuthentication is ``yes'', the root
             user may be allowed in with its password even if PermitRootLogin
             is set to ``without-password''.                                        
                                                                                  
             If this option is set to ``prohibit-password'' or                    
             ``without-password'', password and keyboard-interactive authenti-    
             cation are disabled for root.                                        
                                                                                  
             If this option is set to ``forced-commands-only'', root login        
             with public key authentication will be allowed, but only if the      
             command option has been specified (which may be useful for taking    
             remote backups even if root login is normally not allowed).  All     
             other authentication methods are disabled for root.                 
                                                                                 
             If this option is set to ``no'', root is not allowed to log in.
```
Taken from sshd_config(5). There's a very good reason why this is set to no by default.

Just some random logs from my server:

```
Jan 30 06:29:43 armitage sshd[60260]: error: maximum authentication attempts exceeded for root from 95.152.16.251 port 45377[0/1974]reauth]
Jan 30 06:29:43 armitage sshd[60260]: Disconnecting: Too many authentication failures [preauth]
Jan 30 06:33:50 armitage sshd[60320]: Did not receive identification string from 113.108.21.16
Jan 30 06:35:26 armitage sshd[60336]: Connection closed by 51.255.205.6 port 40966 [preauth]
Jan 30 07:08:12 armitage sshd[60620]: Connection closed by 190.3.169.158 port 18953 [preauth]
Jan 30 07:11:32 armitage sshd[60672]: Address 181.20.68.233 maps to 181-20-68-233.speedy.com.ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!    
Jan 30 07:11:34 armitage sshd[60672]: error: maximum authentication attempts exceeded for root from 181.20.68.233 port 48480 ssh2 [preauth]                                           
Jan 30 07:11:34 armitage sshd[60672]: Disconnecting: Too many authentication failures [preauth]
Jan 30 07:11:41 armitage sshd[60674]: Address 181.20.68.233 maps to 181-20-68-233.speedy.com.ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!                            
Jan 30 07:11:43 armitage sshd[60674]: error: maximum authentication attempts exceeded for root from 181.20.68.233 port 48541 ssh2 [preauth]                                                                
Jan 30 07:11:43 armitage sshd[60674]: Disconnecting: Too many authentication failures [preauth]
Jan 30 07:13:21 armitage sshd[60680]: Connection closed by 51.255.205.6 port 34569 [preauth]
Jan 30 07:38:37 armitage sshd[60892]: Received disconnect from 211.110.154.229 port 55518:11: Bye Bye [preauth]
Jan 30 07:38:37 armitage sshd[60892]: Disconnected from 211.110.154.229 port 55518 [preauth]   
Jan 30 07:38:40 armitage sshd[60887]: Connection reset by 86.104.82.167 port 51830 [preauth]     
Jan 30 07:52:50 armitage sshd[61010]: Connection closed by 51.255.205.6 port 34569 [preauth]       
Jan 30 07:54:22 armitage sshd[61019]: Connection closed by 190.3.169.158 port 18953 [preauth]       
Jan 30 08:11:22 armitage sshd[61217]: error: maximum authentication attempts exceeded for root from 88.158.199.35 port 3895 ssh2 [preauth]                                                                                                
Jan 30 08:11:22 armitage sshd[61217]: Disconnecting: Too many authentication failures [preauth]        
Jan 30 08:41:59 armitage sshd[61451]: Connection closed by 190.3.169.158 port 18953 [preauth]           
Jan 30 08:44:10 armitage sshd[61487]: error: maximum authentication attempts exceeded for root from 190.40.230.144 port 37738 ssh2 [preauth]                                                                                                
Jan 30 08:44:10 armitage sshd[61487]: Disconnecting: Too many authentication failures [preauth]          
Jan 30 08:56:03 armitage sshd[61601]: error: maximum authentication attempts exceeded for root from 114.37.166.132 port 46533 ssh2 [preauth]                                                                                               
Jan 30 08:56:03 armitage sshd[61601]: Disconnecting: Too many authentication failures [preauth]        
Jan 30 09:08:51 armitage sshd[61705]: Received disconnect from 112.85.42.46 port 19759:11:  [preauth]  
Jan 30 09:08:51 armitage sshd[61705]: Disconnected from 112.85.42.46 port 19759 [preauth]              
Jan 30 09:30:03 armitage sshd[61899]: error: maximum authentication attempts exceeded for root from 118.122.94.226 port 47251 ssh2 [preauth]
```


----------



## spring_64 (Feb 2, 2017)

Thank you for your answer.
Actually I set `PermitRootLogin=yes` but I cannot ssh yet.



SirDice said:


> Bad idea.


I want only administrator can ssh to server.


----------



## Deleted member 9563 (Feb 2, 2017)

spring_64 said:


> I want only administrator can ssh to server.



Just because the administrator has root access, does not mean she is limited to only a root account. Make another one for this purpose and tell the administrator what it is.


----------

