Can I have "PermitRootLogin no" on /etc/ssh/sshd_config?

[devawpz]

I'm trying to secure my machines, and disallow remote root logins.

I tried setting it to no, but when I tried migrating a machine to another node on the cluster, I can't.

Can I have "PermitRootLogin no"?

How about "PermitRootLogin proibit-password"?

I figure some of these would make the installation more secure, but I would like to keep the machines communicating with each other.

Any help would be much appreciated.

 

[r.jochum]

prohibit-password should work, Proxmox VE nodes talk to each other by key's.

 

[devawpz]

prohibit-password should work, Proxmox VE nodes talk to each other by key's.

Thanks. So prohibit_password works, the same as yes, but no breaks the cluster, is this correct?

 

[r.jochum]

I'm pretty sure, you can check this by looking at the file /root/.ssh/authorized_keys you will see keys for each node in there.

 

[devawpz]

Thanks, I got some new info too in the meantime. So if I want to have SSH running on port 8887, do I need to change both /etc/ssh/sshd_config and /etc/ssh/ssh_config ? I've seen some examples, but can you point me towards any docs that cover that?

Thanks a lot!

 

[r.jochum]

No sorry, never heard about port changing

 

[oguz]

Thanks, I got some new info too in the meantime. So if I want to have SSH running on port 8887, do I need to change both /etc/ssh/sshd_config and /etc/ssh/ssh_config ? I've seen some examples, but can you point me towards any docs that cover that?

Thanks a lot!

you need to change the Port parameter in /etc/ssh/sshd_config

by default it will say #Port 22 (commented). you can uncomment it and change the port

but beware if you are making a cluster this can lead to communication problems between the nodes.

most of the time changing the port is completely unnecessary for security, since you can configure it to use key authentication only.

if you're still worried about people breaking in, i suggest you install fail2ban [0]

[0]: https://pve.proxmox.com/wiki/Fail2ban

 

[devawpz]

but beware if you are making a cluster this can lead to communication problems between the nodes.

Thank you, but can you please be clear as to the consequence of changing SSH off of port 22? Will the cluster not work if it's on a different port? Because I've tried to migrate VMs and was unsuccessful, is this the "communication problems" you refer?

So I can't run Proxmox clusters from SSH port different from 22?

Thanks for your input.

 

[devawpz]

if you're still worried about people breaking in, i suggest you install fail2ban [0]

[0]: https://pve.proxmox.com/wiki/Fail2ban

Thanks for the tip, I've installed it, but if I can only use Port 22, I'll need to rethink parts of the setup. The link you provided is very good, nevertheless, I'll be using it soon, for sure.