Linux (CentOS) Securing and Hardening SSH / Shell Access

KB ID 0000881 

Problem

The following is by no means an extensive list of everything that can be done. It’s just a run though of what I would consider ‘good practice’.

Solution

Create a user for SSH and Remove Shell access for the ‘root’ user.

1. Connect to the server via SSH or open a terminal session and su to root. Create a new user then set and confirm the new users password.

useradd {username} passwd {username}

Linux Add New SSH User

2. Test access for your new user.

Secure SSH

3. To make changes to shell access, you need to edit the sshd_config file, to do that I’m using the nano editor.

Note: If you do not have nano installed, run ‘yum install nano’.

nano /etc/ssh/sshd_config

Linux SSH Edit Config

4. Locate PermitRootLogin and change it to no.

Linux Prevent Root SSH

5. Locate the PermitRootLogin without-password”. line and comment it out (prefix it with a hash #, (or pound if you’re American).

# PermitRootLogin without-password”.

Block Root Access

Limit SSH / Shell access to particular User(s)

6. Add the following line to allow the user you create above only.

AllowUsers {username}

Restrict Shell Access Linux

Note: If you had multiple users, you can add them separated by a space.

Disable SSH Version 1 and Force SSH Version2

7. Ensure Protocol 2 is NOT hashed out and activation of protocol 1 IS hashed out.

Disable SSH Version 1

Change the SSH / shell Port Number

8. SSH by default runs over TCP port 22, this is a well know port to advertise to the outside world, to change it (in this case to 2200), change the existing Port 22 line;

Port 2200

Linux CentOS Change SSH Port

Note: There is not hard and fast rule on what port to use, but for production, I would suggest a random number above 1024 but below 65535.

9. At this point close nano and save the changes, (press CTRL+W and Y to save the changes).

10. The changes will not take effect until after you have restarted the SSH service/daemon.

service sshd restart

Linux Restart SSH

11. At this point you can check that the root user no longer has SSH / Shell access.

Harden SSH Access CentOS

12. But your SSH user has.

CentOS Secure Shell SSH Access.

 

Related Articles, References, Credits, or External Links

NA

 

Author: Migrated

Share This Post On