Securing SSH Authentication on Your CentOS Server

---

Are you concerned about securing your CentOS server from unauthorized SSH access? In this guide, we’ll walk you through essential steps to harden your server, including creating a non-root user, disabling remote root logins, setting up SSH key authentication, and installing Fail2Ban to defend against brute-force attacks.

Prerequisites: This guide assumes you are using a Linux or macOS system to access a remote CentOS server via SSH.

Step 1: Create a New User with Sudo Privileges

---

To reduce the risk of compromise, it’s best practice not to use the root account for day-to-day tasks. First, log into your server as root and create a new user,

adduser your_username
passwd your_username

Next, add the new user to the wheel group to grant sudo privileges.

usermod -aG wheel your_username

To test, log in with the new user and try switching to root,

ssh your_username@your_server_ip
sudo -s

Step 2: Generate an SSH Key Pair

---

SSH key-based authentication is more secure than password-based logins. Generate the key pair on your server (as root),

ssh-keygen -t rsa

Example:

[root@vps ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:

Note: A new and unique key pair is generated each time you run this command.

Step 3: Copy the SSH Public Key to Your Local Machine

---

On your local system, copy the server’s public key to enable password-less login,

ssh-copy-id your_username@your_server_ip

Step 4: Disable Root SSH Login (Recommended)

---

To enhance security, disable SSH access for the root user:

Open the SSH configuration file on your server,

nano /etc/ssh/sshd_config

Locate and change the following line,

PermitRootLogin no

Restart SSH,

systemctl restart sshd

Step 5: Install and Configure Fail2Ban

---

Fail2Ban helps protect your server from brute-force attacks by banning IPs that show malicious behavior.

Install it using,

yum install epel-release -y
yum install fail2ban -y

Enable and start the Fail2Ban service,

systemctl enable fail2ban
systemctl start fail2ban

You can create a local jail configuration to protect the SSH service,

nano /etc/fail2ban/jail.local

Add the following,

[sshd]
enabled = true
port = ssh
logpath = /var/log/secure
maxretry = 5

Restart Fail2Ban,

systemctl restart fail2ban

Final Notes

---

Your CentOS server is now more secure against unauthorized access. Remember:

• Use strong passwords and unique SSH keys.

• Disable root login whenever possible.

• Regularly update your system and monitor login activity.