How to Restrict SSH Root Login to a Specific IP Address in CentOS 5 While Allowing Regular Users to Authenticate via Password


31 views

When managing a CentOS 5 VPS server with both technical and non-technical users, we often face authentication dilemmas. The ideal setup would allow:

  • Root access only from specific trusted IPs
  • Password authentication for regular SFTP users
  • Key-based authentication for privileged accounts

Edit your /etc/ssh/sshd_config file with these directives:

# Enable root login but restrict by IP
PermitRootLogin no
Match Address 192.168.1.100
    PermitRootLogin yes
    AuthenticationMethods publickey

# Standard authentication for regular users
PasswordAuthentication yes

To allow key-based root login while maintaining password auth for others:

# In /etc/ssh/sshd_config
AuthenticationMethods publickey,password

Match User root
    AuthenticationMethods publickey

Match Group sftpusers
    AuthenticationMethods password

For additional security, implement IP restrictions at the firewall level:

# iptables rules for SSH access control
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Remember that CentOS 5 uses older OpenSSH versions. Some modern features might not be available. After configuration changes:

service sshd reload

Always maintain a secondary connection when testing SSH configurations to avoid locking yourself out.

Implement logging to track authentication attempts:

# Add to sshd_config
LogLevel VERBOSE

Regularly review /var/log/secure for suspicious activity.

Many sysadmins face this dilemma - needing to harden SSH security by restricting root access while maintaining password authentication for non-technical SFTP users. On CentOS 5 systems, we can implement a layered security approach that addresses both requirements.

Edit your sshd_config file with:

vi /etc/ssh/sshd_config

Add these directives at the end:

Match Address 192.168.1.100
    PermitRootLogin yes

Match all
    PermitRootLogin no

Replace 192.168.1.100 with your specific IP. This implements whitelisting while keeping the default restrictive policy.

To enforce key-based auth for root while allowing passwords for others:

Match User root
    AuthenticationMethods publickey
    PermitRootLogin prohibit-password

Match Group sftpusers
    PasswordAuthentication yes
    ChallengeResponseAuthentication yes

1. First create the SFTP group:

groupadd sftpusers

2. Configure chroot for SFTP users in sshd_config:

Subsystem sftp internal-sftp

Match Group sftpusers
    ChrootDirectory /var/sftp/%u
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

3. Create individual user directories with proper permissions:

mkdir -p /var/sftp/user1
useradd -G sftpusers -s /bin/false user1
chown root:root /var/sftp/user1
chmod 755 /var/sftp/user1
mkdir /var/sftp/user1/uploads
chown user1:sftpusers /var/sftp/user1/uploads

Add iptables rules for additional protection:

iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
service iptables save

After making changes, always test with:

sshd -t && service sshd restart

Then verify from permitted and non-permitted IPs. Use verbose mode for debugging:

ssh -v root@yourserver