SSH Root Login Disable for CentOS VPS Improved Security

The security of the default install of a CentOS Operating System (OS) can be improved. One option is to disable the Root login over SSH (switching to a non-root user instead, i.e. a sudoer). Here are the steps to disable SSH root access:

1. Create an alternative user for SSH access.
2. Make the new user a sudoer.
3. Test the new user's SSH login.
4. If login is successful prevent SSH login for root.
5. Optionally limit which users can use SSH logins.

Help Harden CentOS by Stopping SSH Root Logins

This tutorial assumes that access to a VPS running a minimal install of CentOS is available. If accessing a live VPS back up important data. It is possible to test the following actions on a local VPS running in a Virtual Machine (VM). To do so see these tutorials:

• Virtualization Software for Windows, Run Another OS for Free
• Virtual CentOS on Windows Using VirtualBox to Run the VM
• SSH into VPS Virtual Machine on Windows Using PuTTY

All the commands in this tutorial where tested on a Windows PC running the PuTTY terminal emulator. Download the PuTTY installer from the official PuTTY Download Page.

Create a New sudoer User

When creating a new user to administer the VPS choose a user name that is not published. Keep the user name dedicated for SSH login private and secure. Use a difficult to guess name. For example a combination of a name and a number, e.g. JDoe478.

Creating the new sudoer has already been covered by a previous article, see:

• New User for CentOS VPS Created Using SSH

Check that the new user can log in over SSH and execute administrator commands. If so the root login over SSH can be disabled.

Disable SSH Root Login

SSH configuration is controlled by the sshd_config file (in /etc/ssh). Edit sshd_config. For example use vi to edit sshd_config under the root login:

# vi /etc/ssh/sshd_config

Or sudo vi to edit sshd_config under the new user account:

$ sudo vi /etc/ssh/sshd_config

In vi move the cursor down to the line that has PermitRootLogin. In a default CentOS install it is likely to be in the section that starts with the Authentication comment:

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes

In vi press the Insert or a key to enter insert mode. Remove the # comment marker in front of PermitRootLogin. Then change the yes to no:

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no

To save the changes in vi press the escape (Esc) key and enter the command :wq (colon w q).

Restart the SSH service. For CentOS 7 use:

# systemctl restart sshd.service

For CentOS 6 use the following to restart CentOS:

# service sshd restart

Or :

$ sudo service sshd restart

The next time root tries to login over SSH an Access denied message is seen.

login as: root
root@test's password:
Access denied
root@test's password:

Limit Which CentOS Users can Login Over SSH

Edit the /etc/ssh/sshd_config as above. Add a line AllowUsers followed by the required user names:

# Authentication:

#LoginGraceTime 2m  
PermitRootLogin no  
AllowUsers JDoe478

Save the changes and restart the SSH service (see above). Only the users listed in the sshd_config file can log in via SSH.

See Also

• Virtualization Software for Windows, Run Another OS for Free
• Virtual CentOS on Windows Using VirtualBox to Run the VM
• SSH into VPS Virtual Machine on Windows Using PuTTY
• See the article Securing OpenSSH on the CentOS Wiki.
• View related articles on CentOS and Virtual Private Servers (VPS).
• View the Tek Eye full Index for other articles.