Secure remote login is a crucial aspect of server and network infrastructure management. Secure Shell (SSH) provides a secure mechanism for authentication and data transmission between a client and server. In this article, we'll focus on advanced security measures for SSH on the CentOS 7 operating system, including the use of key-based authentication and disabling root login.
Using Key-Based Authentication
Key-based authentication provides a more secure alternative to traditional password authentication. This process utilizes public and private keys to verify a user's identity without the need to transmit a password over the network.
-
Generating SSH Keys On the client machine, use the
ssh-keygen
command to generate a new SSH key pair. Specify the location to save the key file and a passphrase for additional protection of the private key. -
Copying the Public Key to the Server Use the
ssh-copy-id user@server
command, whereuser
is your user account on the CentOS 7 server andserver
is the server's address. This command copies your public key to the~/.ssh/authorized_keys
file on the server. -
Configuring SSH Daemon on the Server Modify the
/etc/ssh/sshd_config
file on the server to make key-based authentication mandatory. SetPasswordAuthentication no
, which disables login using a password.
Disabling Root Login
Logging in directly as the root user via SSH presents significant security risks. To enhance security, it's recommended to disable root login and use sudo for executing privileged operations.
-
Editing SSH Daemon Configuration In the
/etc/ssh/sshd_config
file, find thePermitRootLogin
line and change its value tono
. This prevents direct root user login via SSH. -
Restarting SSH Service After saving the changes in the configuration file, restart the SSH daemon using the
systemctl restart sshd
command. This applies the new configurations.
Additional Recommended Security Measures
-
Changing the Default Port By changing the SSH port (typically 22) to a less common one, you can reduce the number of automated login attempts.
-
Restricting Access with Firewall Utilize a firewall to restrict access to the SSH server only from trusted IP addresses.
-
Using Fail2Ban Fail2Ban is a tool that monitors logs and automatically blocks IP addresses attempting unauthorized access.
By implementing these advanced security measures, you significantly enhance the security of your CentOS 7 server when using SSH. It's important to recognize that system security is a continuous process requiring ongoing attention and updates in response to newly discovered threats.