I recently disabled root login via ssh on my ubunutu server as I was getting quite a lot of ssh attempts with root. I did this by editing the /etc/ssh/sshd_config file and restarting ssh.
However, when I recently checked my log file again, I saw there were numerous other attempts with root in there? - The log message was "failed password" - but if this did work, why would it simply not fail at the first hurdle and say "failed - root login disallowed" or something similar?
Is there a way to tell whether I have configured this correctly?
I assume you set the PermitRootLogin to no. If this is the case, SSH will still accept the connection but then deny root login. You will see this in the logs but it will not permit root to login.
I also use the "without-password" option to permit root login only with SSH keys.
I've not dug into it but suspect this is because SSH accepts the connection and then hands the authentication process to PAM.
If you wish to block these attempts, fail2ban is a popular tool for this purpose.
http://www.fail2ban.org/wiki/index.php/Main_Page
Personally, I am not a fan of these log analyzers but they have their place.
If you set :
and restart sshd process (/etc/init.d/sshd restart). It should disable the ability of the root user to login. Make sure that /etc/sysconfig/sshd doesn't exist and overwrite some of the settings.
The log error, upon root login will be something like (in /var/log/secure if RHEL based distro):
A tips could be to install something like sshguard to help battle bruteforce attempts. Read about it at:
http://www.sshguard.net/