Securing SSH on CentOS 7

Securing SSH is highly recommended as it is a common target for hackers on the internet. I’ll show you how to secure SSH by changing the port, disabling password authentication, and disabling root login over SSH.

 

Changing the SSH port

Changing from the default port will immediately increase your SSH security by thwarting the efforts of hackers trying to brute force into port 22.

 

1. Update the sshd configuration file

sudo vim /etc/ssh/sshd_config

Change this line:

#Port 22

To this:

Port 578

Or whichever port you prefer.

 

2. Update firewalld

Add the new port:

sudo firewall-cmd --permanent --zone=public --add-port=578/tcp

Reload the firewall:

sudo firewall-cmd --reload

 

3. Reload sshd

sudo systemctl reload sshd

 

Disable root user login over SSH

By disabling root logins over SSH, you force hackers to have to guess your user name as well as your password.

 

1. Create a user with sudo privileges

Create user:

adduser 

Give the user a new password:

passwd 

Add the user to the wheel group to give it sudo access:

usermod -aG wheel 

 

2. Update the sshd configuration file

sudo vim /etc/ssh/sshd_config

Change this line:

#PermitRootLogin yes

To this:

PermitRootLogin no

 

3. Reload sshd

sudo systemctl reload sshd

 

Disable password authentication

Finally, we’ll disable password authentication in favor of using super long, basically impossible to brute force, ssh keys!

 

1.  Create an SSH key pair

On your local workstation, create an ssh keypair at the command line:

ssh-keygen

 

2. Copy the public key to your server

ssh-copy-id @ -p 578

 

3. Update the sshd configuration file

sudo vim /etc/ssh/sshd_config

Change this line:

PasswordAuthentication yes

To this:

PasswordAuthentication no

 

Conclusion

By making all of these changes, we’ve forced hackers to guess our username, port, and super long ssh key! This should make any hack over SSH basically impossible!

Leave a Reply

Your email address will not be published. Required fields are marked *