How to Restrict SSH Root Access to Local Network Only on CentOS with Google Authenticator


2 views

When hardening SSH security on CentOS servers, we often face a dilemma: completely disabling root SSH access via PermitRootLogin no enhances security but creates administrative inconvenience for local network operations. The ideal solution is allowing root SSH access only from trusted local networks while enforcing stricter controls for external connections.

We'll implement this through a combination of SSH daemon configuration and TCP wrappers. The solution works particularly well with CentOS 6.5's default SSH implementation:

# First, edit the SSH daemon configuration
vi /etc/ssh/sshd_config

Modify these directives in your sshd_config:

PermitRootLogin without-password
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

For local network restrictions, we'll use TCP wrappers. Edit /etc/hosts.allow:

sshd: 192.168.1.0/24 : allow
sshd: LOCAL : allow
sshd: ALL : deny

Then edit /etc/hosts.deny:

sshd: ALL

For users requiring OTP (like admin accounts), ensure PAM is properly configured. Edit /etc/pam.d/sshd:

auth required pam_google_authenticator.so
auth required pam_permit.so

After making these changes, test your configuration:

service sshd restart
sshd -t  # Check for configuration errors

For newer SSH versions, you can use Match blocks in sshd_config:

Match Address 192.168.1.0/24,127.0.0.1
    PermitRootLogin without-password
    AuthenticationMethods publickey

Match all
    PermitRootLogin no

When hardening SSH access on CentOS servers, administrators often face the dilemma of balancing security with operational needs. The root user presents the highest risk if compromised, yet some local administrative tasks may require root access.

The /etc/ssh/sshd_config file controls SSH server behavior. The PermitRootLogin directive has several possible values:


# Typical options:
# PermitRootLogin yes
# PermitRootLogin without-password
# PermitRootLogin forced-commands-only
# PermitRootLogin no

To restrict root access to local network only while using Google Authenticator, combine these approaches:


# /etc/ssh/sshd_config additions:
PermitRootLogin no
Match Address 192.168.1.0/24,10.0.0.0/8
    PermitRootLogin yes
    AuthenticationMethods publickey,keyboard-interactive

The solution works by:

  • Globally disabling root login (PermitRootLogin no)
  • Creating an exception for specified IP ranges using Match Address
  • Requiring both public key and OTP authentication for root sessions

After modifying the config, always:


# Test configuration syntax
sudo sshd -t

# Reload SSH service
sudo service sshd reload

Test from both local and external networks to verify the restrictions work as intended.

For systems using TCP Wrappers, you can add to /etc/hosts.allow:


sshd: 192.168.1.0/24 : ALLOW
sshd: 10.0.0.0/8 : ALLOW
sshd: ALL : DENY

And in /etc/hosts.deny:


sshd: ALL

Remember that:

  • IP-based restrictions can be bypassed if the local network is compromised
  • Always combine with other security measures (firewalls, IDS)
  • Consider using sudo for administrative tasks instead of direct root login

If experiencing connection problems:


# Check SSH logs
tail -f /var/log/secure

# Verify network connectivity
ping <server_ip>

# Test SSH connection with verbose output
ssh -vvv root@server