CentOS 7 – Securing SSH and the root login configuration

How to configure WordPress multisite with NGINX

For this section, we are going to show some basic and advanced ways to secure the SSH service to mitigate more threats. We will need to make some minor changes to the /etc/ssh/sshd_config file. We will explain every line as we change it gradually:


$ sudo nano /etc/ssh/sshd_config

Uncomment the SSH version 2 line to use only the newer version of SSH, which is more secure and reliable. The line should look like the following:


Protocol 2

We can limit users’ access to restrict some users from accessing the server. We do this using SSH:


DenyUsers Baduser1 baduser2

Then we can set up the time out for the SSH connection to always close the sessions that are not active for a defined period of time. We need to set the countdown to start from the moment the session became idle:


ClientAliveInterval 360
ClientAliveCountMax 0

Then we can disable the root login using SSH:


PermitRootLogin no

In addition, we can disable empty password usage, whereby users do not have the right to log in if they don’t have a password:


PermitEmptyPasswords no

In addition to that, we can do the same thing for password authentication. We can force all logins to happen via generated keys:


PasswordAuthentication no

Then a warning banner is always useful. So, if we need to create one, we should edit /etc/issues and add any kind of banner:


$ sudo nano /etc/issue

Then we should restart the service so that it can take effect:


$ sudo systemctl restart sshd 

Some servers are publicly accessible, so they may need an extra reinforcement to their SSH service. For this task, we will be installing a tool called Fail2Ban, which is a very reliable tool that helps protect many services from brute-force attacks. It basically scans the log file for the specific service and looks for failed login attempts in order to block them. To have it installed, we need to install the EPEL repository first:


$ sudo yum install epel-release

Then we need to install it with Rsyslog, since it scans the log output taken from Rsyslog:


$ sudo yum install fail2ban rsyslog

To have it working fine, we can update it or update the SELinux policy.

Then we go ahead to configure it in order to secure SSH. We need to create a file named sshd.local in the jail folder of Fail2Ban:


$ sudo nano /etc/fail2ban/jail.d/sshd.local

Then we add the following code inside it:


[sshd]
enabled  = true
filter   = sshd
#action  = firewallcmd-ipset
maxretry = 8
bantime  = 172800

This will ban attacks for 48 hours. Then we start the service and enable it for system startup services:


$ sudo systemctl start fail2ban
$ sudo systemctl enable fail2ban

We can now say that we are done with securing SSH. Let’s try to manage root login access. We have already shown how we can disable root login using SSH. Let’s manage the Sudoers file a little to have a user execute superuser commands without the need to type in a password.

First, we need to install sudo on the server. Usually, most CentOS 7 server installations have sudo installed.

Then we can just use the group wheel. If needed, we can create a new one:


$ sudo nano /etc/sudoers

And we go to the line describing the group wheel:


%wheel ALL=(ALL)  ALL

Here, we need to add a word to make the users under this group gain root access using sudo, and they don’t need to use passwords every time:


%wheel ALL=(ALL)  NOPASSWD: ALL

Note

Some system administrators do not advise this option, because if there is an error that gets typed, there is no turning back. It is always a choice to take for this option depending on the need.

Comments are closed.