SSH Hardening: Disable Root Login & Use Key Authentication

Securing your Linux server is paramount in today’s digital landscape. One of the most effective measures is hardening SSH (Secure Shell) access by disabling root login and implementing SSH key authentication. This approach minimizes potential attack vectors and enhances overall system security.​

A. Understanding the Risks of Root SSH Access

The root account has unrestricted access to all commands and files on a Linux system. Allowing direct SSH access to this account poses significant security risks:​

A. Predictable Target: The username ‘root’ is common knowledge, making it a prime target for attackers.​

B. Brute-Force Vulnerability: Attackers can attempt to guess the root password, and if successful, gain full control over the system.​

C. Automated Attacks: Bots continuously scan networks for systems with SSH ports open, attempting to exploit them using common credentials.

By disabling root SSH access, you reduce the risk of unauthorized system-wide access.

B. Creating a Non-Root User with Sudo Privileges

Before disabling root login, ensure you have a non-root user with administrative privileges:

Replace newuser with your desired username. This user can perform administrative tasks using sudo.​

C. Disabling Root Login Over SSH

To prevent root login via SSH:

1. Edit the SSH Configuration File:

2. Modify the PermitRootLogin Directive:

Locate the line:​

Change it to:​

Ensure the line is uncommented (remove the # if present).​

3. Restart the SSH Service:

This change will deny SSH access to the root account.​

D. Implementing SSH Key Authentication

SSH keys provide a more secure authentication method than passwords.

1. Generate SSH Key Pair on Client Machine:

Press Enter to accept the default file location and set a passphrase if desired.​

2. Copy Public Key to Server:

Replace newuser with your non-root username and server_ip with your server’s IP address.​

3. Disable Password Authentication (Optional but Recommended):

On the server, edit the SSH configuration:​

Set the following directives:​

Restart the SSH service:​

This ensures only SSH key-based logins are permitted.​

E. Additional SSH Hardening Measures

A. Limit User Access:

Restrict SSH access to specific users by adding the following line to /etc/ssh/sshd_config:​

Restart SSH to apply changes.​

B. Change Default SSH Port:

Changing the default SSH port (22) can reduce automated attacks:

1. Edit SSH Configuration:

Modify the Port directive:​

Replace 2222 with your chosen port number.​

2. Update Firewall Rules:

Allow the new SSH port through your firewall. For UFW:​

3. Restart SSH Service:

C. Enable SSH Logging:

Monitor SSH access attempts by reviewing logs:​

Regularly check logs for suspicious activity.​

Hardening SSH by disabling root login and implementing SSH key authentication significantly enhances your server’s security posture. By following these best practices, you reduce the risk of unauthorized access and protect sensitive data. Regularly review and update your security measures to stay ahead of potential threats.​