I want to disable the SSH service on DA and prevent it from automatically re-enabling.

[cap4a]

I want to disable the SSH service on DA and prevent it from automatically re-enabling.

Can I do that on the DA interface?

If so please show me and show me the instructions thank you.

 

[Richard G]

Can I do that on the DA interface?

Yes. Login as admin. Then go to the "service monitor" under "admin tools".
Click on the little + on the right hand side of SSHD and select STOP. And it will stop.

But it might start working after a reboot, so you might need to do the following too.
Login as root to your system via SSH and edit the file:
/usr/local/directadmin/data/admin/services.status
remove the line sshd=OFF and save the file.

Now from this last one I'm not sure and it won't work anyway if it still says sshd=ON you might need to wait a minute.
You have to reboot and test if this fixes it.

This will not stop sshd on your server, so you will still be able to login via SSH as root.
For this to stop, you will need to stop the sshd service. But I would suggest to only do that if you have other means of loggin in as root, for example via KVM in case of emergency.

 

[cap4a]

thank you very much.
Can I turn off SSH using the file editor?
I see in the file editor there is an ssh config file as I read but I don't know how to turn it off?

 

[Stije]

If you want to turn off ssh you can do this but i would not advice this. If your server has problems and you cannot login at DirectAdmin and your SSH is turned off how would you fix your server? Besides local terminal or iDRAC/ILO/IPMI

You could also disable login for all users except 1 user with public key. And only 1 or 2 IP's allowed to access.

Turn off needs to be done via local terminal or via iDRAC/ILO/IPMI.

Do this:

systemctl stop sshd
systemctl diable sshd
systemctl mask sshd

Re-enable will then be for RHEL systems:

systemctl umask sshd
systemctl enable sshd.service

And on Debian/Ubuntu:

systemctl umask sshd
systemctl enable ssh.service

 

[Richard G]

I see in the file editor there is an ssh config file as I read but I don't know how to turn it off?

You can only use the file editor with the file I said,

I wouldn't use the advise from @Stije as that way you will turn off SSH complete. Which I warned for in my last alinea. You can do it but in that case you must have some other means like KVM to reach the server/vps in case of emergency.

However I would use these commands instead:
systemctl stop sshd
systemctl disable sshd

No need for the "mask" command.

systemctl enable ssh.service

You're missing something here. for RH and alike this would be sshd.service not ssh.service.

 

[Stije]

You're missing something here. for RH and alike this would be sshd.service not ssh.service.

sshd is linked to ssh.service. If you mask sshd you will need to enable the ssh.service to have the linked sshd service working again. So this is only if you mask the service and want to unmask it

If you mask it it won't start up again after reboot.

But as we both said. We don't advise to stop it unless you have iDRAC/IPMI/ILO/KVM or local terminal.

 

[Stije]

another option would be just to keep it running on port 22 (or another port) and then close port 22 (or another port) on the firewall If you need to get into the server just open the port

 

[Stije]

@Richard G Yes you are right by the way if you are running a RHEL based server. There the ALIAS is indeed not there anymore. But on Debian/Ubuntu based servers it is. So I changed my answer yes Thanks

So yes on RHEL systems it would indeed be:

systemctl enable sshd.service

but on Debian/Ubuntu alike servers it is

systemctl enable ssh.service

because there the ALIAS is still alive.

if i check on the debian server i have you see the sshd.service is actually ssh.service:

[root@deb023]systemctl cat sshd.service

# /lib/systemd/system/ssh.service
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target
Alias=sshd.service

 

[Richard G]

So I changed my answer yes Thanks

You're welcome. I discovered that last year when I was running Debian on VPS as test and wanted to restart ssh and didn't work. Because I thought sshd was the daemon and ssh was the client. But in Debian I needed the ssh service.
So yes it depends on which OS is used. I should have added that, thanks for correcting.

Still don't understand that masking stuff. Is that Debian too? Because if you just disable the service, it won't start at reboot anymore either. At least on RHEL systems.

 

[floyd]

Login as root to your system via SSH and edit the file:
/usr/local/directadmin/data/admin/services.status
remove the line sshd=OFF and save the file.

When you stop it from the service monitor its also supposed to turn it off in services.status but it will still start on boot unless you do the other stuff.

 

[Ohm J]

@Richard G
Mask use for accident start service it again by other ways.
Like you mask firewalld.service to prevent any mistaken interrupt with csf firewall.

 

[Stije]

Still don't understand that masking stuff.

A disabled service can be loaded, and will start if another service that depends on the service is started. So enable and disable only configure auto-start behaviour for units, and the state is easily overridden.

A masked service (unit file is a symlink to /dev/null) makes it "impossible" to load the service, even if it is required by another, enabled service.

 

[Richard G]

but it will still start on boot unless you do the other stuff.

That is why I wrote you can disable the service.

@Ohm J @Stije Thanks! I never encountered this yet, so I wasn't aware of the mask function. Thanks for explaining.

 

[floyd]

That is why I wrote you can disable the service.

Yes I know. Why do you think I am always disagreeing with you. I was simply adding to your comment about the service.status file. When I said the "other stuff" I was referring to the stuff that you yourself had already said. I was agreeing with you.

 

[Richard G]

Why do you think I am always disagreeing with you.

Because I'm not used to people repeating things I wrote when then agree with me. And it was unclear to me what you meant with "other stuff", because that could also well be the masking stuff. Which is indeed required for full disabling.

 

[floyd]

A disabled service can be loaded, and will start if another service that depends on the service is started. So enable and disable only configure auto-start behaviour for units, and the state is easily overridden.

A masked service (unit file is a symlink to /dev/null) makes it "impossible" to load the service, even if it is required by another, enabled service.

That is good information but I just don't know what other service would require sshd and turn it on. I get what you are saying but at least on my systems I don't think the mask would be needed.

 

[floyd]

Because I'm not used to people repeating things I wrote when then agree with me. And it was unclear to me what you meant with "other stuff", because that could also well be the masking stuff. Which is indeed required for full disabling.

I was simply clarifying the service.status file and agreeing with the rest. I didn't want you to think I was disagreeing. I could have just commented on the service.status file and left it at that. But I was trying to make the point that I agreed with you on the rest. I said "other stuff" because I didn't want to repeat everything you just said.

 

[Richard G]

Yeah I understand. It's just that indeed the service.status is supposed to also switch to OFF on switching in DA, but I have encountered situationis that it did not switched to OFF (maybe bug). So that is why I always advise to check it. Or disable it manually there via SSH to be 100% sure.
No problem.

 

[cap4a]

another option would be just to keep it running on port 22 (or another port) and then close port 22 (or another port) on the firewall If you need to get into the server just open the port

The reason I want to disable ssh is because when ssh is enabled in Brute Force Monitor there are a lot of bots that make my website get 502 error and run very slow.
As I have removed port 22 in firewall.
As bots can still access via ssh when ssh automatically restarts.
I need to remove some more ports to prevent this.

 

[Richard G]

of bots that make my website get 502 error

Are you sure that is caused by SSH? Because often bots are attacking the website itself, which can cause an overload.

Normally if you just put the SSH port on a high port above 1024, for example port 53123 (just an example) and disable plaintext login in the sshd_config, then bots can't attack via SSH anymore.

So if you have bot issues, then I would rather investiage which bots are attacking and blocking those bots.