Securing SSH on AlmaLinux: Best Practices

Boost your AlmaLinux server security! Learn to disable root login, implement key-based authentication, and more. Follow these SSH best practices for a safer online presence.

Securing SSH on AlmaLinux: Best Practices

SSH (Secure Shell) is a critical component for remote server management, providing secure access to your AlmaLinux system. However, to ensure the highest level of security, it's essential to implement best practices when configuring and managing SSH. In this guide, we'll cover advanced techniques for securing SSH on AlmaLinux.

Disabling Root Login

One of the fundamental steps in securing SSH is to disable direct root login. This adds an extra layer of security by requiring users to log in with their own credentials before gaining root access.

To disable root login, follow these steps:

sudo nano /etc/ssh/sshd_config

Inside the configuration file, locate the line:

PermitRootLogin yes

Change it to:

PermitRootLogin no
Force users to log in as a regular user first and then switch to root using sudo

Save and exit the file, then restart the SSH service:

sudo systemctl restart sshd

By setting PermitRootLogin to no you force users to log in as a regular user first and then switch to root using sudo. This reduces the risk of unauthorized access.

If you have only the root user and disable root login, ensure you have an alternative method of accessing the system, such as creating a new user with sudo privileges (explained in the next section).

Creating a New User with Sudo Privileges

Assuming you have root access, create a new user and grant sudo privileges:

sudo adduser krython-user
sudo usermod -aG wheel krython-user

On AlmaLinux, the default group for users with sudo privileges is often named wheel instead of sudo as used in some other distributions like Ubuntu.

Create a new user and grant sudo privileges

Replace krython-user with the desired username.

This ensures that the user is added to the appropriate group that has sudo privileges on AlmaLinux.

Set password for this user:

sudo passwd krython-user

Replace krython-user with the desired username.

Changing password for our new user

Key-Based Authentication

Implementing key-based authentication enhances security by eliminating the need for password-based logins. This method involves generating a key pair (public and private) on your local machine and then copying the public key to the AlmaLinux server.

  1. Generating SSH Key Pair (On your local machine)
ssh-keygen -t rsa -b 4096

Follow the prompts, leaving the passphrase empty for automated processes.

  1. Copying Public Key to AlmaLinux

Replace krython-user with your username.

  1. Now, edit the SSH configuration on the server:
sudo nano /etc/ssh/sshd_config

Ensure the following lines are set:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

  1. Restart the SSH service:
sudo systemctl restart sshd

Key-based authentication provides a stronger authentication mechanism than passwords. Disabling password authentication and other challenge-response methods enhances security further.

Changing SSH Port

Changing the default SSH port adds an extra layer of security by making it more challenging for automated bots to discover and target your SSH service. To change the SSH port:

sudo nano /etc/ssh/sshd_config

Find the line:

# Port 22

Change it to an alternative port, for example:

Port 2222
Changing Port Value

Save and restart the SSH service:

sudo systemctl restart sshd

Modifying the default SSH port helps reduce the number of unauthorized access attempts and adds a level of obscurity to your server.

Configuring Idle Session Timeout

Setting an idle session timeout ensures that inactive SSH sessions are terminated after a specified period, reducing the risk of unauthorized access if a session is left unattended. To configure session timeout:

sudo nano /etc/ssh/sshd_config

Find, uncomment and change the following line:

ClientAliveInterval 300
ClientAliveCountMax 2
Change ClientAliveInterval & ClientAliveCountMax Values

ClientAliveInterval sets the interval at which the server will send a message to the client to check if it is still active, and ClientAliveCountMax defines the number of unanswered messages before disconnecting.

Two-Factor Authentication (2FA)

Implementing Two-Factor Authentication adds an extra layer of security by requiring users to provide a second form of authentication, typically a code from a mobile app, in addition to their password. To set up 2FA:

sudo nano /etc/ssh/sshd_config

Add the following lines (end of file):

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

Save and restart the SSH service:

sudo systemctl restart sshd

Enabling Challenge-Response Authentication and configuring multiple authentication methods enhances the security posture of your SSH setup.


By following these advanced SSH security practices on AlmaLinux, you can significantly enhance the security of your server. Remember to test any configuration changes thoroughly to avoid accidental lockouts. If you encounter issues or have feedback, feel free to leave a comment below.

Enjoying our content? Your support keeps us going! 🚀

Consider buying us a coffee to help fuel our creativity.