Learn how to disable SSH login for the root user on CentOS 8 with our step-by-step guide. Enhance your server’s security by preventing direct root access over SSH. #centlinux #linux #ssh
Table of Contents
What is SSH?
SSH, or Secure Shell, is a cryptographic network protocol used for securely operating network services over an unsecured network. The most common application of SSH is for remote login to computer systems by users. Here are the key aspects of SSH:
Key Features
- Encryption: SSH provides strong encryption for data transmitted over the network, ensuring that any intercepted communications cannot be read by unauthorized parties.
- Authentication: Supports multiple methods of authentication, including password-based login, public key authentication, and two-factor authentication.
- Command Execution: Allows users to execute commands on a remote machine securely. This is particularly useful for administrative tasks and automation scripts.
- Secure File Transfer: Includes protocols like SFTP (SSH File Transfer Protocol) and SCP (Secure Copy Protocol) for secure file transfer between machines.
- Port Forwarding: Enables the forwarding of network ports, which can securely tunnel other protocols and services through an encrypted SSH connection.
Common Uses
- Remote Administration: SSH is widely used by system administrators for remote management of servers and network devices.
- Secure File Transfers: Facilitates secure file transfers between computers using SFTP and SCP.
- Tunneling and Port Forwarding: Used to tunnel other network services securely through an encrypted connection, often used to bypass firewalls or secure otherwise insecure protocols.
- Automated Scripts: Enables running automated scripts for routine administrative tasks on remote servers.
How SSH Works
- Client-Server Model:
- SSH operates on a client-server model. The SSH client initiates a connection to the SSH server.
- The server listens for incoming connections on a designated port (default is port 22).
- Authentication Process:
- The client and server authenticate each other using various methods such as passwords, public key authentication, or Kerberos.
- Once authenticated, an encrypted session is established.
- Session Encryption:
- After authentication, all data exchanged between the client and server is encrypted, ensuring privacy and data integrity.
Security Benefits
- Prevents Eavesdropping:
- The encrypted communication ensures that any data intercepted by a third party cannot be understood.
- Protects Against Man-in-the-Middle Attacks:
- SSH verifies the identity of the server, preventing attackers from intercepting or tampering with the data.
- Enhances Access Control:
- By disabling root login over SSH and using key-based authentication, SSH enhances access control and reduces the risk of unauthorized access.
Summary
SSH is a fundamental tool for secure remote administration, encrypted file transfers, and tunneling network services. Its robust encryption and authentication mechanisms make it a preferred choice for securely managing and accessing remote systems.
Read Also: How to Disable SSH Root Login in Linux 9
Problem Definition
SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22 but we can configure SSH on a non-default port. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.
Since, root is the Superuser in Linux and remote ssh login facility makes it the prime target for hackers. Hackers uses brute force or dictionary attack techniques to guess the password of root user.
In CentOS 8 / RHEL 8 default settings, root user is allowed to login at the SSH server by using a SSH client. Therefore, it is always advisable by the security experts to disable the root ssh logins on the Linux servers before making it live.
Recommended Online Training: Learn Bash Shell in Linux for Beginners
Environment Specification
We are using a minimal CentOS 8 virtual machine with following specification.
- CPU – 3.4 Ghz (2 cores)
- Memory – 2 GB
- Storage – 20 GB
- Operating System – CentOS Linux 8.2
- Hostname – ssh-server-01.centlinux.com
- IP Address – 192.168.116.206 /24
Create an Admin User in CentOS 8
Connect with ssh-server-01.centlinux.com as root user by using a SSH client.
You are going to disable SSH login for root, therefore, you will need another user to access the server machine via SSH.
Although, you can use a normal user for this purpose. But we recommend that you should create an Admin user so you can perform administrative tasks from this user account as well.
# adduser -u 1001 -G wheel mansoor
Set the password of Admin user by using following command.
# echo "Str@ngPa55w0rd" | passwd --stdin mansoor
Changing password for user mansoor.
passwd: all authentication tokens updated successfully.
Disable SSH Login for root
Configuration files for SSH client/server are located in /etc/ssh directory.
Edit the SSH server configuration file by using vim editor.
# vi /etc/ssh/sshd_config
Locate following directives in this file.
PermitRootLogin yes
Update this directive as follows to disable SSH login for root.
PermitRootLogin no
Restart sshd service to take changes into effect.
# systemctl restart sshd.service
Now, disconnect from ssh-server-01.centlinux.com and try to connect again as root user.
# ssh root@ssh-server-01
root@ssh-server-01's password:
Permission denied, please try again.
root@ssh-server-01's password:
Permission denied, please try again.
root@ssh-server-01's password:
root@ssh-server-01: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Although, we are providing the same password, but we are unable to login.
Try again with the newly created admin user.
$ ssh mansoor@ssh-server-01
mansoor@ssh-server-01's password:
Last login: Sat Aug 22 12:42:39 2020 from ssh-client-01
$
We have successfully login to ssh-server-01.centlinux.com.
Now, we can switch to root user.
$ su -
Password:
Last login: Sat Aug 22 12:42:23 PKT 2020 on pts/0
#
So, you can still access the root user account, but disabling the SSH root logins reduces the risk of hacking attempts on your Linux server.
Conclusion
In this article, you have learned how to disable SSH login for root on CentOS 8. If you are having difficulty understanding the commands used in this guide, then there is a good book for you. The book title is How Linux Works, 2nd Edition: What Every Superuser Should Know Second Edition (PAID LINK) and it is written by Brian Ward.