SSH Root Login Disable for CentOS VPS Improved Security
The security of the default install of a CentOS Operating System (OS) can be improved. One option is to disable the Root login over SSH (switching to a non-root user instead, i.e. a sudoer). Here are the steps to disable SSH root access:
- Create an alternative user for SSH access.
- Make the new user a sudoer.
- Test the new user's SSH login.
- If login is successful prevent SSH login for root.
- Optionally limit which users can use SSH logins.
Help Harden CentOS by Stopping SSH Root Logins
This tutorial assumes that access to a VPS running a minimal install of CentOS is available. If accessing a live VPS back up important data. It is possible to test the following actions on a local VPS running in a Virtual Machine (VM). To do so see these tutorials:
- Virtualization Software for Windows, Run Another OS for Free
- Virtual CentOS on Windows Using VirtualBox to Run the VM
- SSH into VPS Virtual Machine on Windows Using PuTTY
All the commands in this tutorial where tested on a Windows PC running the PuTTY terminal emulator. Download the PuTTY installer from the official PuTTY Download Page.
Create a New sudoer User
When creating a new user to administer the VPS choose a user name that is not published. Keep the user name dedicated for SSH login private and secure. Use a difficult to guess name. For example a combination of a name and a number, e.g. JDoe478.
Creating the new sudoer has already been covered by a previous article, see:
Check that the new user can log in over SSH and execute administrator commands. If so the root login over SSH can be disabled.
Disable SSH Root Login
SSH configuration is controlled by the sshd_config file (in /etc/ssh). Edit sshd_config. For example use vi to edit sshd_config under the root login:
# vi /etc/ssh/sshd_config
Or sudo vi to edit sshd_config under the new user account:
$ sudo vi /etc/ssh/sshd_config
In vi move the cursor down to the line that has PermitRootLogin. In a default CentOS install it is likely to be in the section that starts with the Authentication comment:
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
In vi press the Insert or a key to enter insert mode. Remove the # comment marker in front of PermitRootLogin. Then change the yes to no:
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
To save the changes in vi press the escape (Esc) key and enter the command :wq (colon w q).
Restart the SSH service. For CentOS 7 use:
# systemctl restart sshd.service
For CentOS 6 use the following to restart CentOS:
# service sshd restart
Or :
$ sudo service sshd restart
The next time root tries to login over SSH an Access denied message is seen.
login as: root
root@test's password:
Access denied
root@test's password:
Limit Which CentOS Users can Login Over SSH
Edit the /etc/ssh/sshd_config as above. Add a line AllowUsers followed by the required user names:
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
AllowUsers JDoe478
Save the changes and restart the SSH service (see above). Only the users listed in the sshd_config file can log in via SSH.
See Also
- Virtualization Software for Windows, Run Another OS for Free
- Virtual CentOS on Windows Using VirtualBox to Run the VM
- SSH into VPS Virtual Machine on Windows Using PuTTY
- See the article Securing OpenSSH on the CentOS Wiki.
- View related articles on CentOS and Virtual Private Servers (VPS).
- View the Tek Eye full Index for other articles.
Author:Daniel S. Fowler Published: Updated: