Sysadmin's corner | Disabling root shell access in CentOS

SECURING SSH ACCESS

Disabling the root user’s direct ssh shell access

When I look at the logwatch reports I get daily, most of the crap listed is dictionnary attacks from bots or hackers, lots of them trying to get in via the root account. As a best practice, root SSH login should be disabled, and you should make use of the sudo function for server management purposes.

THE ACTUAL RECIPE

STEP 1

The first step is to add yourself to the sudoers file using the visudo command. This opens the sudoers file; navigate to the end of the file, type i to switch to insert mode, then enter the username you want to allow delegating rights to. The sudoers file contains numerous examples of rights, if you want your user to have full root management, you can copy the root rights line and substitute your user’s account to root. Here is an example:

## Allow root to run any commands anywhere
root ALL=(ALL) ALL
someuser ALL=(ALL) ALL

In the example above, I gave the account someuser the same rights as root. Check the sudoers file for other examples if you’d like to limit rights.

Press the escape (esc) key to leave insert mode, type :wq to write your changes to the sudoers file and quit the visudo file.

STEP 2

Now that you’ve updated the sudoers file with the accounts necessiting root access, it’s time to disable root access in SSH. Using your favorite text editor, open the /etc/ssh/sshd_config file, and change the following parameter:

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes

to

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no

Then, save your changes, and restart the ssh service:

[root@server ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

Try logging in as root, you will get an access denied. Login with the account credentials you added in the sudoers file above, then type the following command:

sudo su -

You will be prompted for the account’s password again, and you will change to root.

Comments: This isn’t bulletproof, but a dictionnary attack trying to authenticate as root through ssh will not succeed. Of course, if you are going to give another user sudo access, make sure to change passwords regularly and not use the same password on different systems.