Disable Root Access, Change SSH Port- SSH Security

skoral    Server Hardening     hardening, root access, ssh

Allowing root logins through SSH is one of the biggest security threats, and is something that hackers will attempt to “brute force” at some time. Many of these hackers use automated tools to perform this, so it is essential to make these two changes as soon as your server is set up.

Disabling root from accessing your server saves you the headache of potentially allowing a devious person full control over your entire server. You will want to take one of your standard logins and give that account “su-“ permissions to enter the super user shell or sudo to perform the tasks that require full privileges.

First off, as root, you need to edit the “sudoers” file and allow your standard login sudo permissions. You will need an SSH client to log on to your server, such as “Putty”

# nano /etc/sudoers

Find the following:
# User privilege specification
root    ALL=(ALL) ALL

and change to:
# User privilege specification
root    ALL=(ALL) ALL
username  ALL=(ALL) ALL

Save your changes with ctrl-x, “y”, enter.

Now open the sshd_config file to block root access:
# nano /etc/ssh/sshd_config

Find:
PermitRootLogin: yes

and change this to “no”.

(This will not break your current session.)

Now look for:
Port 22

And change to another port number such as 2265 or something. So when a hacker tries port 22, the standard SSH port, they’ll get errors in return that the port is not open.

Once again, save the file with the ctrl-x, y, enter sequence.

That does it! Your SSH configuration is now more secure than it was before, and even if the hacker does find your SSH port, they wont have root access, or know the username that you just gave sudo permissions to.

Congratulations!!! This is your first step in hardening your server against attacks!