Tek Eye Logo

Tek Eye

SSH Root Login Disable for CentOS VPS Improved Security

The security of the default install of a CentOS Operating System (OS) can be improved. One option is to disable the Root login over SSH (switching to a non-root user instead, i.e. a sudoer). Here are the steps to disable SSH root access:

  1. Create an alternative user for SSH access.
  2. Make the new user a sudoer.
  3. Test the new user's SSH login.
  4. If login is successful prevent SSH login for root.
  5. Optionally limit which users can use SSH logins.

CentOS Logo

Help Harden CentOS by Stopping SSH Root Logins

This tutorial assumes that access to a VPS running a minimal install of CentOS is available. If accessing a live VPS back up important data. It is possible to test the following actions on a local VPS running in a Virtual Machine (VM). To do so see these tutorials:

All the commands in this tutorial where tested on a Windows PC running the PuTTY terminal emulator. Download the PuTTY installer from the official PuTTY Download Page.

Create a New sudoer User

When creating a new user to administer the VPS choose a user name that is not published. Keep the user name dedicated for SSH login private and secure. Use a difficult to guess name. For example a combination of a name and a number, e.g. JDoe478.

Creating the new sudoer has already been covered by a previous article, see:

Check that the new user can log in over SSH and execute administrator commands. If so the root login over SSH can be disabled.

Disable SSH Root Login

SSH configuration is controlled by the sshd_config file (in /etc/ssh). Edit sshd_config. For example use vi to edit sshd_config under the root login:

# vi /etc/ssh/sshd_config

Or sudo vi to edit sshd_config under the new user account:

$ sudo vi /etc/ssh/sshd_config

In vi move the cursor down to the line that has PermitRootLogin. In a default CentOS install it is likely to be in the section that starts with the Authentication comment:

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes

In vi press the Insert or a key to enter insert mode. Remove the # comment marker in front of PermitRootLogin. Then change the yes to no:

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no

To save the changes in vi press the escape (Esc) key and enter the command :wq (colon w q).

Restart the SSH service. For CentOS 7 use:

# systemctl restart sshd.service

For CentOS 6 use the following to restart CentOS:

# service sshd restart

Or :

$ sudo service sshd restart

The next time root tries to login over SSH an Access denied message is seen.

login as: root
root@test's password:
Access denied
root@test's password:

Limit Which CentOS Users can Login Over SSH

Edit the /etc/ssh/sshd_config as above. Add a line AllowUsers followed by the required user names:

# Authentication:

#LoginGraceTime 2m  
PermitRootLogin no  
AllowUsers JDoe478

Save the changes and restart the SSH service (see above). Only the users listed in the sshd_config file can log in via SSH.

See Also

Author:  Published:  Updated:  

ShareSubmit to TwitterSubmit to FacebookSubmit to Google+Submit to LinkedInSubmit to redditPrint Page

markdown CMS Small Logo Icon ↓markdown↓ CMS is fast and simple. Build websites quickly and publish easily. For beginner to expert.

Articles on:

Android, HTML, VPS, Computing, IT, Computer History, ↓markdown↓ CMS

Free Android Projects and Samples:

Android Examples, Android List Examples, Android UI Examples