In this article, you will learn how to disable root ssh login in CentOS 8.
Table of Contents:
- What is SSH (Secure Shell)?
- Environment Specification
- Create an Admin User in CentOS / RHEL 8
- Disable Root SSH login in CentOS / RHEL 8
- Conclusion
What is SSH (Secure Shell)? :
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH. (Courtesy: Wikipedia)
SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22 but we can configure SSH on a non-default port. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.
Since, root is the Superuser in Linux and remote ssh login facility makes it the prime target for hackers. Hackers uses brute force or dictionary attack techniques to guess the password of root user.
In CentOS 8 / RHEL 8 default settings, root user is allowed to login at the SSH server by using a SSH client. Therefore, it is always advisable by the security experts to disable the root ssh logins on the Linux servers before making it live.
Environment Specification:
We are using a minimal CentOS 8 virtual machine with following specification.
- CPU - 3.4 Ghz (2 cores)
- Memory - 2 GB
- Storage - 20 GB
- Operating System - CentOS Linux 8.2
- Hostname – ssh-server-01.centlinux.com
- IP Address - 192.168.116.206 /24
Create an Admin User in CentOS / RHEL 8:
Connect with ssh-server-01.centlinux.com as root user by using a SSH client.
You are going to disable ssh root logins, therefore, you will need another user to access the server machine via SSH.
Although, you can use a normal user for this purpose. But we recommend that you should create an Admin user so you can perform administrative tasks from this user account as well.
# adduser -u 1001 -G wheel mansoor
Set the password of Admin user by using following command.
# echo "Str@ngPa55w0rd" | passwd --stdin mansoor
Changing password for user mansoor.
passwd: all authentication tokens updated successfully.
Disable Root SSH login in CentOS / RHEL 8:
Configuration files for SSH client/server are located in /etc/ssh directory.
Edit the SSH server configuration file by using vim editor.
# vi /etc/ssh/sshd_config
Locate following directives in this file.
PermitRootLogin yes
Update this directive as follows to disable root ssh logins.
PermitRootLogin no
Restart sshd service to take changes into effect.
# systemctl restart sshd.service
Now, disconnect from ssh-server-01.centlinux.com and try to connect again as root user.
# ssh root@ssh-server-01
root@ssh-server-01's password:
Permission denied, please try again.
root@ssh-server-01's password:
Permission denied, please try again.
root@ssh-server-01's password:
root@ssh-server-01: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Although, we are providing the same password, but we are unable to login.
Try again with the newly created admin user.
$ ssh mansoor@ssh-server-01
mansoor@ssh-server-01's password:
Last login: Sat Aug 22 12:42:39 2020 from ssh-client-01
$
We have successfully login to ssh-server-01.centlinux.com.
Now, we can switch to root user.
$ su -
Password:
Last login: Sat Aug 22 12:42:23 PKT 2020 on pts/0
#
So, you can still access the root user account, but disabling the root ssh logins reduces the risk of hacking attempts on your Linux server.
Conclusion:
You have successfully disabled root ssh logins on CentOS / RHEL 8. If you are having difficulty understanding the commands used in this guide, then there is a good book for you. The book title is How Linux Works, 2nd Edition: What Every Superuser Should Know Second Edition and it is written by Brian Ward.
No comments:
Post a Comment