We all know that CentOS comes with root access disabled for the outside world by default. This means that you can not directly log in as a root user via SSH, but you can still go ahead and utilize root privileges by using the ‘sudo’ command instead.
However, sometimes it is more convenient to log in directly as the root user. That’s why in this article, we will talk about how to enable, disable and secure the SSH login to your server when attempting to log in as root.
Before we start, we will need several requirements to be fulfilled before continuing this tutorial.
Table of Contents
Requirements:
- Installed CentOS;
- Access via SSH to your VPS;
- A regular user that can use ‘su’ or ‘sudo’ to gain root privileges;
Login to your CentOS VPS via SSH as a regular user with sudo privileges:
ssh user_name@Server_IP_Address -p Port_Number
Disable SSH Root Login
Disable SSH Root Login in CentOS 7In order to disable the root login, we need to modify the main ssh configuration file “sshd_config” with a text editor of your choice. In our example, we will use nano as an editor.
nano /etc/ssh/sshd_config
Now search for this line below in the file.
#PermitRootLogin no
Uncomment the line by removing the ‘#’ from the beginning of the line. The line in the file should look like this:
PermitRootLogin no
By executing the following command we will restart the SSH daemon service:
systemctl restart sshd.service
Now when we try to log in as the root user, you should get an “Access Denied” error.
login as: root root@Server_IP_Address password: Access denied root@Server_IP_Address password:
At this point, you are not able to log in directly as root, but you can still log in as a normal user with sudo privileges and use ‘sudo’ or ‘su’ command to switch to the root user. For example:
login as: username username@Server_IP_Address password: Last login: Wed Sep 26 12:11:38 2018 from IP_address [username@hostname ~]$ su - Password: Last login: Thu Sep 27 11:05:19 CDT 2018 from IP_address on pts/1 [root@hostname ~]#
Enable SSH Root Login
In order to enable logging in as root, we need to modify the main ssh configuration file “sshd_config” with a text editor of your choice. In our example, we will use nano as an editor.
nano /etc/ssh/sshd_config
Find the following line in the file.
PermitRootLogin no
Comment the line out by adding a ‘#’ at the beginning of the line, or change ‘no’ to ‘yes’ like in the examples shown below.
#PermitRootLogin no
or
PermitRootLogin yes
After we save the file we should restart the sshd service.
systemctl restart sshd.service
You can now try to log in directly as a root user.
login as: root root@Server_IP_Address password: Last login: Wed Sep 27 12:22:50 2018 from IP_address [root@hostname ~]#
Secure SSH Access in CentOS 7
In this section, we will provide you with a few simple tips on how to secure SSH access on your CentOS 7 server.
Changing the SSH Server Port
In order to change the Standard listening Port, you need to modify the SSH configuration file by using the command below:
nano /etc/ssh/sshd_config
Next, you need to find the line that refers to the port number. After you find the port number (the default value should be 22), you can edit the default one to the number you prefer.
When you are finished with editing, press Ctrl+O, and then press Ctrl+X in order to save and exit.
Restart the SSH daemon service by executing the command:
systemctl restart sshd.service
Disabling SSH Protocol 1
There are two versions of SSH protocols: SSHv1, and SSHv2. Using the SSHv1 protocol is not recommended because it’s an older version and is less secure than the newer SSHv2 protocol. In the next section, we will disable SSHv1. If you need this version for any reason, then you can ignore this part.
Open the SSH configuration file with this command:
nano /etc/ssh/sshd_config
Uncomment the line
Protocol 2,1
and edit it to:
Protocol 2
Now we should restart the SSH service in order for the new configuration to take effect. We can do that by executing this command:
systemctl restart sshd.service
Disabling root access is also one of the ways to secure your SSH server, which we showed you at the beginning of the article.
In this tutorial, we learned how to disable and enable the root login in SSH.
We also learned how to secure the SSH server by changing the port number, disabling root access, and disabling the SSH protocol SSHv1.
If you are one of our managed VPS hosting clients, you can simply ask our system administrators to Enable or Disable root login through SSH on your CentOS server. They are available 24/7 and will take care of your request immediately.
If you find this blog post useful, please share it with your friends via social media networks, or if you have any questions please leave a comment below and we will reply to it. Thanks!
Can we disable specific ports on a specific user? If can how to do it?
Yes, you can disable specific ports on a specific user.
Check your user id using:
id usernameReplace
usernamewith the actualusername.For example, to block a local user to access outgoing port 25 use:
iptables -t filter -A OUTPUT -p tcp --dport 25 --match owner --uid-owner 501 -j DROPReplace
501with the actual user id.For more help about this, run:
iptables -m owner --help