When managing online servers that can be accessed from anywhere, you may want to add some level of security by disabling SSH logon for the root account.
By default when you install CentOS 7 and SSH server, the root account automatically have remote access via SSH. This can be dangerous. If the root account password falls into the wrong hands, your server is at the mercy of the bad guys with the password. They can delete every file and folder on the server and take down the entire system with few commands
That’s why limiting the root account from directly accessing the server is recommended.
A more secure way to protect your online servers is by enabling password-less logon. This method is by far the best. Your servers only allow computers with the private encryption key that matches the public key stored on the servers.
Servers that are configure with no password logon will denied all users attempting to sign on using passwords and only allow computers with the correct encryption keys.
To learn how to configure password-less SSH logon on CentOS servers, please read this post.
Now, if you don’t want to enable password-less logon, but wish to disable the root account from logging on, then continue below. The steps below will show you how to accomplish that in CentOS 7.
Remember, all user accounts on the system automatically are allowed SSH access by default. You can limit that and I will show you how to do it in another tutorial.
- Disabling Root SSH Access in CentOS
By default the root account automatically have SSH access remotely. After installing CentOS and the SSH server, open any SSH client and attempt to sign on as root. Access will be granted.
To disable that, open SSH configuration file using the commands below.
sudo vi /etc/ssh/sshd_config
Then change the line as shown below :
#Authentication:
#LoginGranceTime 2m
#PermitRootLogin no
#StrictMode yes
#MaxAuthTries 6
#MaxSessions 10
Change the highlighted line above by removing the # symbol. It should be like this:
PermitRootLogin no
Save the file and restart the SSH server by running the commands below.
sudo systemctl restart sshd.service
Now try logging in as root and you’ll be denied or access won’t be granted.
To re-enable the root account, just put the # symbol for the PermitRootLogin directive in the file and save it. The restart SSH server.
Another thing to remember is that SSH traffic blocked on the firewall by default. You won’t be able to access the SSH server remotely by default.
You must enable SSH through the firewall. To do that in CentOS 7, run the commands below.
firewall-cmd --permanent --zone=public --add-service=ssh
Then reload the firewall to connect.
firewall-cmd –reload
That’s it!
Enjoy!
Frequently Asked Questions
How to disable root SSH logon on CentOS 7 for enhanced security?
To disable root SSH logon on CentOS 7, you can modify the SSH configuration file to deny root login. This helps protect your server from unauthorized access and potential security threats.
What are the dangers of leaving root SSH access enabled on CentOS 7?
Leaving root SSH access enabled on CentOS 7 can pose significant security risks. If the root account's password is compromised, malicious users can gain full control of your server and cause extensive damage.
What is password-less logon and how does it enhance server security?
Password-less logon enhances server security by allowing access only to computers with the correct encryption keys. This method eliminates the risk of password theft and unauthorized access to your server.
How can I implement password-less SSH logon on CentOS servers?
To configure password-less SSH logon on CentOS servers, you need to match the private encryption key on your computer with the public key stored on the server. This method ensures secure access without the need for passwords.
Why is it recommended to limit root account access on CentOS servers?
Limiting root account access on CentOS servers is crucial for security. By restricting root logins, you reduce the risk of unauthorized users gaining control over the entire system and compromising your data.
What steps can I follow to disable root SSH access in CentOS 7?
To disable root SSH access in CentOS 7, you need to edit the SSH configuration file and set 'PermitRootLogin no'. This simple step enhances the security of your server by preventing direct root logins.
How can I prevent users from signing on using passwords in CentOS servers?
To prevent users from signing on using passwords in CentOS servers, you can enforce the use of encryption keys for authentication. This adds an extra layer of security by eliminating the vulnerability of password-based logins.
Are all user accounts allowed SSH access by default on CentOS servers?
Yes, by default, all user accounts on CentOS servers are allowed SSH access. It is essential to configure access restrictions and permissions to enhance the security of your server environment.