I recently started looking at my auth-logs and surprisingly found bots from china trying to bruteforce their way in this (didnt try hard). I went all about changing numerous things that bots would never check, and made harder to bruteforce.
My question is:
I am trying to find a list of all users that can log in to my server via SSH. I know that /etc/passwd has a list of all users, but I don't know if any of them (except for 1) can be logged in.
My goal is to only have 1 user that can be logged in, and having that user have a real strong password.
Any user with a valid shell in /etc/passwd can potentially login. If you want to improve security, set up SSH with public-key authentication (there is lots of info on the web on doing this), install a public key in one user's ~/.ssh/authorized_keys file, and disable password-based authentication. This will prevent anybody except that one user from logging in, and will require that the user have in their possession the matching private key. Make sure the private key has a decent passphrase.
To prevent bots from trying to get in, run SSH on a port other than 22 (i.e. 3456). This doesn't improve security but prevents script-kiddies and bots from cluttering up your logs with failed attempts.
Any user whose login shell setting in /etc/passwd is an interactive shell can login. I don't think there's a totally reliable way to tell if a program is an interactive shell; checking whether it's in /etc/shells is probably as good as you can get.
Other users can also login, but the program they run should not allow them to get much access to the system. And users that aren't allowed to login at all should have /etc/false as their shell -- this will just log them out immediately.
Source: Stackoverflow.com