How to Set Up SSH on CentOS & RHEL
Learn to enable SSH on CentOS Linux systems. Also learn to configure it to follow the best practices.
— Team LHB
SSH (Secure Shell) is a secure network protocol based on the client-server architecture that allows you to securely access remote computers/servers over the network.
SSH is widely used by system administrators for connecting to remote servers. This makes administrators easily manage servers and applications remotely and securely from anywhere at any time.
In this guide, I'll show you how to set up and enable SSH on CentOS/RHEL systems. With the SSH enabled on this CentOS system, you should be able to access this system from other computers using its IP address.
This tutorial also includes the steps to change the default SSH port, disable SSH login for the root user, and set up firewalld to secure your SSH server.
To complete this guide, ensure you have got the following requirements:
- A CentOS or RHEL Linux system. You can install it on your physical machine/real hardware, or using the virtual machine through KVM/VirtualBox, or using third-party cloud providers like Linode (but they usually already have SSH enabled).
- A non-root user with sudo/root privileges. This user will be used for modifying your system. And in the end, this user can be used to log in to your server.
Installing OpenSSH Packages
OpenSSH is one of the most popular software implementations of SSH protocol. It is used by millions of Linux servers, and become a critical part of the server environment. By default, OpenSSH is available on most Linux distribution repositories, including CentOS and RHEL systems.
Before you get started, refresh your package index using the DNF package manager as below.
sudo dnf check-update
Next, install OpenSSH packages on the CentOS/RHEL systems using the following command. This command will install OpenSSH server packages, as well as OpenSSH client software.
sudo dnf install openssh-server openssh-clients -y
After OpenSSH installation is complete, execute the following command to start the sshd
service and enable it to start automatically at the system boot.
sudo systemctl enable --now sshd
Now, verify the sshd
service status by running the following command.
sudo systemctl status sshd
You'll receive output like the following screenshot. The sshd
service is active (running)
.
Configuring SSH Server
By default, the SSH configuration is available at the /etc/ssh
directory, and the main configuration file is sshd_config
. This file contains some basic SSH configuration, such as ListenAddress
that determines the IP address of running SSH service, Port
for setting up SSH service port, authentication methods, and many more.
In this section, you'll modify the configuration sshd_config
, then change the default SSH port and disable login for the root user.
This setting is recommended for security reasons, it is to increase server security and reduce the brute force attack against your server.
Now, open the file sshd_config
using vi
editor or your preferred editor.
sudo vi /etc/ssh/sshd_config
Before you start editing the file, you must know that lines beginning with #
and empty lines are interpreted as comments.
At the top of the line, change the default SSH port from 22
to your preferred port. This tutorial uses the non-standard port 2028
for SSH.
Port 2028
Next, change the option of PermitRootLogin yes
to PermitRootLogin no
. This will disable SSH login for the user root
user. Optionally, you can add #
at the beginning of the line PermitRootLogin
.
PermitRootLogin no
Save and close the file.
After making changes, verify the SSH configuration, then restart the sshd
service.
sshd -t
sudo systemctl restart sshd
Now, you can connect to your SSH server by running the ssh
command below.
ssh username@SERVER-IP -p PORT
The -p
option is used to specify the port of your SSH server.
In this section, you have completed the basic configuration for securing the SSH server by changing the default SSH port and disabling login for the root
user. Moreover, you've learned to connect to the SSH server with a non-standard port. Next, you'll install and configure firewalld.
Installing and Configuring Firewalld
If you are using the CentOS/RHEL server on the public internet, such as a cloud server, then you may need to enable the firewall. This will increase your server security, by limiting access only to specific services such as SSH, HTTP, and HTTPS. On CentOS/RHEL-based distribution, firewalld is the default firewall package that you can install on your system.
In this section, you'll install firewalld and set up its open ports for your SSH server.
To install firewalld, run the dnf
command below.
sudo dnf install firewalld -y
After firewalld installation is completed, start and enable the firewalld
service. Then verify its status by running the following command.
sudo systemctl enable --now firewalld
sudo systemctl status firewalld
You'll receive a similar output like the screenshot below. The firewalld
service is active (running)
.
For interacting with firewalld, you can use the command firewall-cmd
. It is the command-line interface for managing firewalld rules. You can use firewall-cmd
to add, remove, and modify firewalld rules. And there are many more that you can do with using the firewall-cmd
.
Now, to add the custom SSH port to your system, run the firewall-cmd
command below.
sudo firewall-cmd --add-port=2028/tcp --permanent
You'll receive the output success
, which means the operation success and completed.
This example uses the port 2028
as the custom SSH port. and the SSH service is running on the TCP port, so you need to specify the port and protocol such as 2028/tcp
. The option --permanent
makes this rule permanently.
Next, reload firewalld rules to apply a new configuration using the following command.
sudo firewall-cmd --reload
You have added the SSH custom port to the firewalld. Execute the command below to list all enabled rules.
sudo firewall-cmd --list-all
Now you'll see a list of enabled rules in firewalld. The services SSH, Cockpit, and dhcp are enabled by default.
To remove the default SSH rule, run the firewall-cmd
command below. Then reload again firewalld rules.
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload
Now, you have completed the installation and configuration of firewalld to secure your SSH server.
Conclusion
In this guide, you have completed the installation and configuration of SSH on the CentOS/RHEL system. You have secured your SSH server by changing the default port and disabling the login for the root
user. Additionally, you've completed the firewalld installation and configuration on the CentOS/RHEL system for securing the SSH server.
Let us know if you have questions.
Team LHB indicates the effort of a single or multiple members of the core Linux Handbook team.