How to Install Enable OpenSSH on CentOS 7

If you're looking to enable OpenSSH on CentOS 7, you've come to the right place. In this article, we'll take a look at the steps you need to follow to install and enable OpenSSH on your CentOS 7 machine. We'll also take a look at some of the benefits of using OpenSSH and how to configure it to suit your needs.

What is OpenSSH?

OpenSSH is a secure shell protocol used to establish a secure connection between two computers over a network. It's an open-source version of the Secure Shell (SSH) protocol, which is widely used to provide secure remote access to servers and other network devices.

OpenSSH provides a secure way to access a remote computer by encrypting all data that is transmitted between the client and server. This means that all communications between the client and server are private and cannot be intercepted by a third party.

Why Use OpenSSH?

Using OpenSSH has several benefits, including −

• Security − OpenSSH uses strong encryption algorithms to protect your data.

• Remote Access − OpenSSH allows you to access your remote servers securely.

• Portability − OpenSSH is available on a wide range of operating systems, making it a versatile tool.

• Authentication − OpenSSH provides multiple authentication methods to ensure secure access to your remote servers.

Installing OpenSSH on CentOS 7

Before we can enable OpenSSH on CentOS 7, we need to install it. Here's how −

Step 1: Update the System

Before installing OpenSSH, we need to update our system to make sure we have the latest packages and security updates. To do this, open a terminal and enter the following command −

sudo yum update

This command will update all packages on your system to their latest version.

Step 2: Install OpenSSH

Once the system is updated, we can proceed with the installation of OpenSSH. To install OpenSSH, enter the following command −

sudo yum install openssh-server

This command will install the OpenSSH server on your system.

Step 3: Start the OpenSSH Service

Now that OpenSSH is installed, we need to start the OpenSSH service so that it can accept incoming connections. To start the OpenSSH service, enter the following command −

sudo systemctl start sshd

This command will start the OpenSSH service on your system.

Step 4: Enable OpenSSH

Finally, we need to enable OpenSSH so that it starts automatically every time we boot our system. To do this, enter the following command −

sudo systemctl enable sshd

This command will enable the OpenSSH service on your system.

Configuring OpenSSH

Now that OpenSSH is installed and enabled, we can configure it to suit our needs. Here are a few configuration options you might find useful −

Changing the Port

By default, OpenSSH listens on port 22. However, it's a good idea to change this to a different port to increase security. To do this, open the SSH configuration file −

sudo vi /etc/ssh/sshd_config

Find the line that says #Port 22 and change it to your desired port. For example, if you want to change it to port 2222, you would enter −

Port 2222

Save the file and restart the SSH service −

sudo systemctl restart sshd

Disabling Password Authentication

Another way to increase security is to disable password authentication and use public key authentication instead. To do this, open the SSH configuration file −

sudo vi /etc/ssh/sshd_config

Find the line that says #PasswordAuthentication yes and change it to `PasswordAuthentication no`. Then, find the line that says #PubkeyAuthentication yesand uncomment it by removing the#` symbol. Save the file and restart the SSH service −

sudo systemctl restart sshd

Now, you'll need to generate an SSH key pair and add the public key to your server. This can be done using the ssh-keygen command on your local machine.

Allowing or Restricting SSH Access

You may want to restrict SSH access to certain users or IP addresses. To do this, you can use the AllowUsers, DenyUsers, AllowGroups, and DenyGroups options in the SSH configuration file. For example, to allow access only to a user named jdoe, add the following line to the configuration file −

AllowUsers jdoe

To deny access to a user named jsmith, add the following line −

DenyUsers jsmith

You can also allow or deny access based on IP addresses. For example, to allow access only from a specific IP address, add the following line −

Match Address 192.168.1.100
    AllowUsers jdoe

This will only allow the user jdoe to access the server from the IP address 192.168.1.100.

Use Strong Passwords or Public Key Authentication

When setting up OpenSSH, it's important to use strong passwords or public key authentication to prevent unauthorized access to your system. Avoid using easily guessable passwords, and consider using a password manager to generate and store strong passwords.

Use Firewall Rules to Restrict Access

To further enhance security, you can use firewall rules to restrict access to your system. For example, you can use the firewalld service to block incoming connections to your SSH port from all IP addresses except those you explicitly allow.

Disable Root Login

By default, OpenSSH allows root login via SSH. However, it's best practice to disable this and use a regular user account instead. To disable root login, open the SSH configuration file and find the line that says PermitRootLogin yes. Change it to PermitRootLogin no, then restart the SSH service.

Monitor SSH Logs for Suspicious Activity

Monitoring SSH logs can help you detect suspicious activity and potential security breaches. You can use tools like journalctl or grep to search for failed login attempts, unusual login patterns, and other indicators of malicious activity.

Keep OpenSSH Up-to-Date

Finally, it's important to keep OpenSSH up-to-date with the latest security patches and updates. CentOS 7 provides regular updates through the yum package manager, so make sure to run sudo yum update regularly to keep your system secure.

Use Two-Factor Authentication

Two-factor authentication (2FA) is a powerful security measure that adds an extra layer of protection to your OpenSSH server. With 2FA enabled, users are required to provide a second factor, such as a token or biometric data, in addition to their password, to access the system. This makes it much harder for attackers to gain unauthorized access to your server, even if they have obtained a user's password.

Use SSH Keys with Passphrases

If you decide to use SSH keys for authentication, it's a good idea to add a passphrase to your key. A passphrase is a secret phrase or sentence that is used to encrypt your SSH key. This adds an extra layer of security to your key and makes it much harder for attackers to use your key to gain unauthorized access to your server.

Limit the Number of Failed Login Attempts

OpenSSH provides an option to limit the number of failed login attempts before blocking an IP address. This helps prevent brute-force attacks and makes it harder for attackers to guess passwords. To set this up, open the SSH configuration file and add the following line −

MaxAuthTries 3

This will limit the number of failed login attempts to 3 before blocking the IP address.

Consider Using a Bastion Host

If you're managing multiple servers, it's a good idea to use a bastion host as a gateway to your other systems. A bastion host is a dedicated server that provides a secure entry point to your network. By using a bastion host, you can limit the number of entry points to your network and reduce the risk of unauthorized access.

Regularly Review Access Logs

Finally, it's important to regularly review your access logs to detect any suspicious activity or security breaches. Reviewing your logs can help you identify patterns of activity and identify potential security risks. Make sure to keep your logs in a secure location and limit access to authorized personnel only.

Conclusion

Enabling OpenSSH on CentOS 7 is a straightforward process. Once installed, OpenSSH provides a secure and versatile way to access your remote servers. By configuring OpenSSH to suit your needs, you can further increase security and ensure that only authorized users have access to your server.

Remember to always keep your system updated with the latest security patches and follow best practices when it comes to securing your server.