Help Harden CentOS by Stopping SSH Root Logins
Here are the steps to disable SSH root access:
- Create an alternative user for SSH access.
- Make the new user a sudoer.
- Test the new user’s SSH login.
- If login is successful prevent SSH login for root.
- Optionally limit which users can use SSH logins.
This tutorial assumes that access to a VPS running a minimal install of CentOS is available. If accessing a live VPS back up important data. It is possible to test the following actions on a local VPS running in a Virtual Machine (VM). To do so see these articles:
- Virtualization Software for Windows, Run Another OS for Free
- Virtual CentOS on Windows Using VirtualBox to Run the VM
- SSH into VPS Virtual Machine on Windows Using PuTTY
All the commands in this tutorial where tested on a Windows PC running the PuTTY terminal emulator. Download the PuTTY installer from the official PuTTY Download Page.
Create a New sudoer User
When creating a new user to administer the VPS chose a user name that is not published. Keep the user name dedicated for SSH login private and secure. Use a difficult to guess name. For example a combination of a name and a number, e.g. JDoe478.
Creating the new sudoer has already been covered by a previous article, see:
Check that the new user can log in over SSH and execute administrator commands. If so the root login over SSH can be disabled.
Disable SSH Root Login
SSH configuration is controlled by the sshd_config file (in /etc/ssh). Edit sshd_config. For example use vi to edit sshd_config under the root login:
# vi /etc/ssh/sshd_config
Or sudo vi to edit sshd_config under the new user account:
$ sudo vi /etc/ssh/sshd_config
In vi move the cursor down to the line that has PermitRootLogin. In a default CentOS install it is likely to be in the section that starts with the Authentication comment:
In vi press the Insert or a key to enter insert mode. Remove the # comment marker in front of PermitRootLogin. Then change the yes to no:
To save the changes in vi press the escape (Esc) key and enter the command :wq (colon w q).
Restart the SSH service:
# service sshd restart
$ sudo service sshd restart
The next time root tries to login over SSH an Access denied message is seen.
login as: root
Limit Which CentOS Users can Login Over SSH
Edit the /etc/ssh/sshd_config as above. Add a line AllowUsers followed by the required user names:
Save the changes and restart the SSH service (see above). Only the users listed in the sshd_config file can log in via SSH.
See the article Securing OpenSSH on the CentOS Wiki.