DEV Community

Nnamdi Felix Ibe
Nnamdi Felix Ibe

Posted on

100 Days of DevOps, Day 3: Disabling Root SSH Login and Carving Out a VPC Subnet

#security #linux #devops #aws

A default is a decision someone else made for you.

It's set for convenience, to get you moving fast. That's the opposite of what you want once a system is real and people depend on it. Both of today's tasks change a default on purpose, one in Linux and one in AWS.

Task 1 (Linux): Disable Root Login Over SSH

By default, a lot of Linux images let root log in directly over SSH. That's one weak password, or one leaked key away from someone owning the entire machine. So you turn it off.

# Edit the SSH daemon config
sudo vi /etc/ssh/sshd_config

# Find this line and change it
# PermitRootLogin yes  ->  PermitRootLogin no

# Restart SSH to apply the change
sudo systemctl restart sshd

# Confirm the setting is live, without restarting again
sudo sshd -T | grep permitrootlogin
Enter fullscreen mode Exit fullscreen mode

Key points:

  • sshd -T prints the effective running config. Use it to confirm the change took, instead of trusting that you edited the right line in the right file.
  • Make sure a non-root user with sudo exists before you do this. Turn off root login with no other way in, and you've locked yourself out of your own server.

I've never sat in a hardening review where this wasn't on the list. Not because disabling root is clever. Because the attacks that actually work are rarely clever. They're someone trying to root with a common password against a box that should never have accepted the attempt.

Task 2 (AWS): Carve Out a VPC Subnet Without Overlap

Goal: create a subnet inside an existing VPC. What the task is really checking is whether you look at what's already there before you add to it.

# See the VPC you're working in
aws ec2 describe-vpcs

# List existing subnets and their CIDR ranges first
aws ec2 describe-subnets \
  --query 'Subnets[*].{SubnetId:SubnetId, CidrBlock:CidrBlock}' \
  --output table

# Create the subnet with a range that doesn't overlap
aws ec2 create-subnet \
  --vpc-id <VpcId> \
  --cidr-block 10.0.0.0/24 \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=my-subnet}]'

# Verify it landed
aws ec2 describe-subnets --filters "Name=tag:Name,Values=my-subnet"
Enter fullscreen mode Exit fullscreen mode

Key points:

  • List existing subnets before you create one. Two subnets with overlapping CIDR ranges are the kind of problem you don't notice now and can't easily explain later, when routing starts behaving in ways that make no sense.
  • A /24 gives you 256 addresses, 251 usable. AWS reserves 5 in every subnet, so the count never quite matches what you'd expect.
  • Tag it at creation. Finding a resource by name later beats hunting through a list of subnet IDs.

Subnets look trivial until you're a few environments deep and two of them claim the same range. Address planning is boring on Day 1 and the reason for a war room on Day 200. The check is one command. Run it before, not after.

What Day 3 Is Really About

Both tasks took less than a minute of typing. Neither is hard. The skill isn't the command; it's the habit of not accepting what you were handed just because it works out of the box.

So here's the question for the systems you run right now. How many defaults are still sitting there untouched because nobody stopped to ask whether they should be? Pick one this week and change it on purpose.

Top comments (0)