How to disable root user from direct ssh login
Brute Force Login Attempts are as common as ever. Even if you have a strong root password, it is a matter of time for it to be cracked using a dictionary attack. Hence the need to prevent direct ssh logins for common accounts like root or admin.
Generally, it’s safe to use a hidden “su” user first, then login to root or other accounts once connected. Disable any well known accounts (root, admin, etc) that don’t need direct access by editing the /etc/ssh/sshd_config and removing or commenting out the section with the code.
#AllowUsers root
Always test changes before logging out else you may lock yourself out from the box.
Here how you can do it on a generic Linux system is three simple steps:
- Add the user. I’ve chosen the user editor. You can pick some other name.
[root@mycomputer ~]# adduser editor
[root@mycomputer ~]# id editor
[root@mycomputer ~]# uid=1007(editor) gid=1008(editor) groups=1008(editor)
[root@mycomputer ~]# whoami
[root@mycomputer ~]# editor
- Set the password for the new user. Enter and confirm the new password at the command prompt.[root@mycomputer ~]# passwd editor
Changing password for user editor.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@mycomputer ~]# - In order to give sudo permissions of the new user editor you have to edit the file /etc/sudoers, remove the comment # in front of the statement
%wheel ALL=(ALL) ALL
where you will give su permissions to the group wheel. Add the user to the wheel group.
usermod -aG wheel editor
.
At least this is the approach recommended from by RedHat
Another way of doing this is by giving su permissions to the user editor. Once again this is done by adding a line in /etc/sudoers
editor ALL=(ALL) ALL
- Now ssh to the server with the new user. Make sure everything is okay and the user has all the rights you need.
[root@mycomputer ~]# ssh editor@myserver
editor@myderver's password:
[editor@editor ~]$
- Check if you can su (switch user) to root from the user admin
[admin@admin ~]$ sudo su
Password:
[root@editor ~]# whoami
[root@editor ~]# root
- After you are completely sure the new user editor works as expected, you can disable root access via ssh. Edit the file
[root@editor ~]$ nano /etc/ssh/sshd_config
and either set
PermitRootLogin no
or remove/ comment out the line
AllowUsers root - The last step is to restart the sshd service.
for RedHat Centos Fedora
[root@editor ~]# service sshd restart
for Ubuntu Debian
[root@editor ~]# service ssh restart