When managing online servers that can be accessed from anywhere, you may want to add some level of security by disabling SSH logon for the root account.
By default when you install CentOS 7 and SSH server, the root account automatically have remote access via SSH. This can be dangerous. If the root account password falls into the wrong hands, your server is at the mercy of the bad guys with the password. They can delete every file and folder on the server and take down the entire system with few commands
That’s why limiting the root account from directly accessing the server is recommended.
A more secure way to protect your online servers is by enabling password-less logon. This method is by far the best. Your servers only allow computers with the private encryption key that matches the public key stored on the servers.
Servers that are configure with no password logon will denied all users attempting to sign on using passwords and only allow computers with the correct encryption keys.
To learn how to configure password-less SSH logon on CentOS servers, please read this post.
Now, if you don’t want to enable password-less logon, but wish to disable the root account from logging on, then continue below. The steps below will show you how to accomplish that in CentOS 7.
Remember, all user accounts on the system automatically are allowed SSH access by default. You can limit that and I will show you how to do it in another tutorial.
- Disabling Root SSH Access in CentOS
By default the root account automatically have SSH access remotely. After installing CentOS and the SSH server, open any SSH client and attempt to sign on as root. Access will be granted.
To disable that, open SSH configuration file using the commands below.
sudo vi /etc/ssh/sshd_config
Then change the line as shown below :
#Authentication: #LoginGranceTime 2m #PermitRootLogin no #StrictMode yes #MaxAuthTries 6 #MaxSessions 10
Change the highlighted line above by removing the # symbol. It should be like this:
Save the file and restart the SSH server by running the commands below.
sudo systemctl restart sshd.service
Now try logging in as root and you’ll be denied or access won’t be granted.
To re-enable the root account, just put the # symbol for the PermitRootLogin directive in the file and save it. The restart SSH server.
Another thing to remember is that SSH traffic blocked on the firewall by default. You won’t be able to access the SSH server remotely by default.
You must enable SSH through the firewall. To do that in CentOS 7, run the commands below.
firewall-cmd --permanent --zone=public --add-service=ssh
Then reload the firewall to connect.