DTT

How to Disable Root SSH Access on CentOS 7

Published: April 6, 2018 (Updated: Apr 6, 2018)
#CentOS 7 #SSH #Linux Security

Enjoying this content? Subscribe to the Channel!

Essential CentOS 7 Security: Stop the Scanners by Disabling Root SSH Access

Introduction: Why Disabling Root SSH is Non-Negotiable

Welcome to Darren’s Tech Tutorials! If you manage a server—especially one accessible over a public network—security is paramount.

The single biggest vulnerability for new servers is automated attack scripts. These bots don’t know who you are, but they know the default administrative username on Linux: root. They constantly hammer your server, attempting to log in using root combined with common or leaked passwords.

The solution is simple and incredibly effective: disable the ability to log in as root via SSH.

By forcing attackers to guess both a custom username and a password, you drastically reduce your server’s attack surface. This tutorial will walk you through the essential steps to secure your CentOS 7 installation by creating a standard user, granting them administrative power via sudo, and then locking down root access for good.

Crucial Warning: Do not log out of your current root session until you have successfully tested the new user and confirmed they have sudo access. We will be testing this setup before we exit!

All the commands you need to follow along are available on our supporting page linked here.

Step 1: Creating a Secure Alternative User Account

Before we lock out root, we need a way back into the server! We will create a new standard user account that you will use for all future SSH logins.

Execute these commands while logged in as the current root user:

  1. Add the new user: Replace darrenuser with your preferred username.

    adduser darrenuser

  2. Set a strong password: You will be prompted to enter and confirm a new, complex password.

    passwd darrenuser

Step 2: Granting Sudo Permissions to the New User

Standard users are great for security, but we still need the ability to run administrative tasks (like installing software or managing services) without logging back in as root. On CentOS, we do this by adding the user to the wheel group, which is pre-configured to have sudo privileges.

  1. Add the user to the wheel group:

    gpasswd -a darrenuser wheel

  2. Verify Sudo Access (Optional but Recommended):

    You can quickly check if the new user has been added successfully. While still in your root session, try running a command as the new user using su - darrenuser and then attempt a sudo command.

    # Switch to the new user
su - darrenuser

# Test sudo access (this should prompt you for the new user's password)
sudo ls /root

# Exit back to your original root shell
exit

Step 3: Disabling Root Login in SSH Configuration

Now that we have a trusted standard user with admin capabilities, we can modify the main SSH configuration file to prevent direct root logins.

  1. Open the SSH daemon configuration file: Use your preferred editor (like vi or nano).

    vi /etc/ssh/sshd_config

  2. Locate and Modify the Setting: Use the search function within your editor to find the line that begins with PermitRootLogin.

    • It might be commented out (#). If so, uncomment it and ensure it reads:
    PermitRootLogin no
    • If you found PermitRootLogin yes, change it directly to no.

  3. Save the file and exit the editor.

  4. Restart the SSH Service: This is the critical step that applies the new configuration changes.

    systemctl restart sshd

Step 4: Verification and Final Log Out

This is the most crucial step! Do not terminate your original root SSH session until you have successfully verified that you can log in as the new user.

  1. Open a New Terminal Window: Keep your existing root session open!

  2. Attempt to Log In as the New User: Use the new username you created (darrenuser).

    ssh [email protected]

  3. Verify the new user works: Once logged in, run a sudo command to confirm administrative privileges:

    sudo yum update

    (You should be prompted for your user password, and the command should execute.)

  4. Test Root Login Failure (Optional): Try to log in to the server in a third window directly as root. This attempt should now be immediately denied.

    ssh [email protected]

If all tests pass—you can log in as the standard user, run sudo commands, and direct root login is denied—then you are secure!

You can now safely log out of your original root session. Congratulations, your CentOS 7 server is now significantly more protected against automated script attacks!

Conclusion

By taking these few simple steps, you have eliminated one of the most common server security risks. Switching from relying on the highly targeted root user to a custom user with controlled sudo access is foundational security practice on any Linux server.

If you found this guide helpful and are ready to take the next step in securing your infrastructure, be sure to hit the Like button on the video, Subscribe to Darren’s Tech Tutorials for more clear and accessible guides, and let us know in the comments if you have any questions! Happy securing!