How to disable root user from direct ssh login

Bymadhatter

Brute Force Login Attempts are as common as ever. Even if you have a strong root password, it is a matter of time for it to be cracked using a dictionary attack. Hence the need to prevent direct ssh logins for common accounts like root or admin.

Generally, it’s safe to use a hidden “su” user first, then login to root or other accounts once connected. Disable any well known accounts (root, admin, etc) that don’t need direct access by editing the /etc/ssh/sshd_config and removing or commenting  out the section with the code.

#AllowUsers root

Always test changes before logging out else you may lock yourself out from the box.

Here how you can do it on a generic Linux system is three simple steps:

  1. Add the user. I’ve chosen the user editor. You can pick some other name.
    [root@mycomputer ~]# adduser editor
    [root@mycomputer ~]# id editor
    [root@mycomputer ~]# uid=1007(editor) gid=1008(editor) groups=1008(editor)
    [root@mycomputer ~]# whoami
    [root@mycomputer ~]# editor
  2. Set the password for the new user. Enter and confirm the new password at the command prompt.[root@mycomputer ~]# passwd editor
    Changing password for user editor.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
    [root@mycomputer ~]#
  3. In order to give sudo permissions of the new user editor you have to edit the file /etc/sudoers, remove the comment # in front of the statement
    %wheel ALL=(ALL) ALL
    where you will give su permissions to the group wheel. Add the user to the wheel group.
    usermod -aG wheel editor.
    At least this is the approach recommended from by RedHat
    Another way of doing this is by giving su permissions to the user editor. Once again this is done by adding a line in /etc/sudoers
    editor ALL=(ALL) ALL
  4. Now ssh to the server with the new user. Make sure everything is okay and the user has all the rights you need.
    [root@mycomputer ~]# ssh editor@myserver
    editor@myderver's password:
    [editor@editor ~]$
  5. Check if you can su (switch user) to root from the user admin
    [admin@admin ~]$ sudo su
    Password:
    [root@editor ~]# whoami
    [root@editor ~]# root
  6. After you are completely sure the new user editor works as expected, you can disable root access via ssh. Edit the file
    [root@editor ~]$ nano /etc/ssh/sshd_config
    and either set
    PermitRootLogin no
    or remove/ comment out the line
    AllowUsers root
  7. The last step is to restart the sshd service.
    for RedHat Centos Fedora
    [root@editor ~]# service sshd restart
    for Ubuntu Debian
    [root@editor ~]# service ssh restart

Similar Posts

How to change ownership of files with chown in linux

Bymadhatter

File (directory) ownership is the foundations of every operating system. This post will teach you how to change file(s) ownership in Linux using the command chown. There are different scenarios when you would need to change the ownership of a file using either chown or chgrp. Note: you can change group ownership with the command…

How to compress a whole Lunux/Unix directory into a tarball file

Bymadhatter

It is extremely easy to compress files and directories in Linux/ Unix using the tar command.  This command is used to create create .tar.gz or .tgz archive files; the so called “tarballs.”  You can do a lot of tasks with this command. It has a lot of options. Man page man tar or help file tar…

PPA Repository

List Add & Remove PPA Repository in Ubuntu & Debian

Bymadhatter

PPA aka Personal Package Archive are repositories designed to deliver software. Apt package manager makes use of these servers; downloads and installs the software programs they contain. The Apt package manager stores its repository database in /etc/apt/sources.list file. Also it reads the files in the  /etc/apt/sources.list.d directory to get information for the available third party…

Leave a Reply

Your email address will not be published. Required fields are marked *