How to disable root user from direct ssh login

Brute Force Login Attempts are as common as ever. Even if you have a strong root password, it is a matter of time for it to be cracked using a dictionary attack. Hence the need to prevent direct ssh logins for common accounts like root or admin.

Generally, it’s safe to use a hidden “su” user first, then login to root or other accounts once connected. Disable any well known accounts (root, admin, etc) that don’t need direct access by editing the /etc/ssh/sshd_config and removing or commenting  out the section with the code.

#AllowUsers root

Always test changes before logging out else you may lock yourself out from the box.

Here how you can do it on a generic Linux system is three simple steps:

  1. Add the user. I’ve chosen the user editor. You can pick some other name.
    [root@mycomputer ~]# adduser editor
    [root@mycomputer ~]# id editor
    [root@mycomputer ~]# uid=1007(editor) gid=1008(editor) groups=1008(editor)
    [root@mycomputer ~]# whoami
    [root@mycomputer ~]# editor
  2. Set the password for the new user. Enter and confirm the new password at the command prompt.[root@mycomputer ~]# passwd editor
    Changing password for user editor.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
    [root@mycomputer ~]#
  3. In order to give sudo permissions of the new user editor you have to edit the file /etc/sudoers, remove the comment # in front of the statement
    %wheel ALL=(ALL) ALL
    where you will give su permissions to the group wheel. Add the user to the wheel group.
    usermod -aG wheel editor.
    At least this is the approach recommended from by RedHat
    Another way of doing this is by giving su permissions to the user editor. Once again this is done by adding a line in /etc/sudoers
    editor ALL=(ALL) ALL
  4. Now ssh to the server with the new user. Make sure everything is okay and the user has all the rights you need.
    [root@mycomputer ~]# ssh editor@myserver
    editor@myderver's password:
    [editor@editor ~]$
  5. Check if you can su (switch user) to root from the user admin
    [admin@admin ~]$ sudo su
    Password:
    [root@editor ~]# whoami
    [root@editor ~]# root
  6. After you are completely sure the new user editor works as expected, you can disable root access via ssh. Edit the file
    [root@editor ~]$ nano /etc/ssh/sshd_config
    and either set
    PermitRootLogin no
    or remove/ comment out the line
    AllowUsers root
  7. The last step is to restart the sshd service.
    for RedHat Centos Fedora
    [root@editor ~]# service sshd restart
    for Ubuntu Debian
    [root@editor ~]# service ssh restart

Diana D has written 18 articles

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>