How to Disable SSH Root Login
SSH (Secure Shell) is the standard protocol for securely accessing remote servers. Allowing direct root login via SSH poses a security risk because attackers often target this account due to its maximum privileges. Disabling root login through SSH is a key step to enhancing your Linux server's security. In this article, we will cover how to disable SSH root login and why it's important.
Why It's Important to Disable SSH Root Login
The root account has unlimited privileges on a Linux system, making it a primary target for attacks. If an attacker gains access to the root account, they can take full control of the system. Allowing root login via SSH significantly increases the chances of server compromise. Disabling this feature and using a less privileged user in combination with sudo commands adds an extra layer of security.
Steps to Disable SSH Root Login
Disabling SSH root login involves editing the sshd_config configuration file. Here’s a step-by-step guide:
1. Log in to the server via SSH
First, log into your server via SSH if you’re not already logged in. Use either the root account or another user with sudo privileges:
ssh user@server_address
2. Open the SSH configuration file
The SSH configuration file is usually located in the /etc/ssh/sshd_config directory. Open this file with a text editor such as nano or vim:
sudo nano /etc/ssh/sshd_config
3. Find the PermitRootLogin directive
In the configuration file, locate the line containing the PermitRootLogin directive. It should look something like this:
#PermitRootLogin prohibit-password
By default, root login is allowed but restricted to public key authentication (prohibit-password). Your goal is to completely disable root login.
4. Disable root login
To disable root login via SSH, change the line to the following:
PermitRootLogin no
This will completely disable root login via SSH, whether by password or public key.
5. Restart the SSH service
After making changes, you must restart the SSH service for the changes to take effect. Use the following command:
sudo systemctl restart ssh
Alternatively, on some systems, you can use:
sudo service ssh restart
6. Test the new configuration
To test the new settings, try logging into the server as the root user via SSH. If everything is configured correctly, the login attempt should be denied:
ssh root@server_address
If the configuration is correct, SSH should not allow access.
Creating a Non-Root User with Sudo Privileges
If you disable root login, it’s important to have a non-root user with sudo privileges that allows you to perform administrative tasks. If you don’t have such a user yet, follow these steps:
1. Create a new user
Use the adduser command to create a new user:
sudo adduser new_user
2. Add the user to the sudo group
Add the user to the sudo group to grant administrative privileges:
sudo usermod -aG sudo new_user
3. Log in as the new user
Log out and log in as the new user to test their sudo privileges:
ssh new_user@server_address
4. Use sudo for administrative tasks
Try running an administrative command using sudo:
sudo apt update
If everything is set up correctly, you’ll be prompted to enter the new user’s password, and the command will execute.
Disabling SSH root login is one of the key steps in improving the security of your Linux server. This reduces the risk of an attacker gaining direct access to administrative rights on the system. Combined with creating a non-root user with sudo privileges, this is a fundamental security measure that every server administrator should implement.
