All Posts

How to disable SSH root login on Linux

A short guide on how to quickly disable SSH root login.

Jun 9th, 2020 • 2 min read

This short tutorial aims to build on some of the previous basic server security tips and add some small, extra layers of security to your server.

The root user on any server is essentially a "god user" and has permission to do anything. After the initial setup of a server, if the server has been set up sensibly with different users for different access levels, there should be no reason to login as the root user again unless you need to perform some server maintenance.

Out of the box, you can SSH onto your server as the root user so if a malicious user gains knowledge of your root password or somehow gets your SSH keys, your server will become their little playground. They will be able to do anything they like with your server! Let's fix that!

Opening the SSH Config

First, SSH onto your server using the command below, just switch out the placeholders for your details.

ssh -p PORT username@hostname

For most servers, the SSH config can be found within /etc/ssh/ and it should be called sshd_config. In my command examples, I'll be using "nano" as my editor of choice to edit the configs but you can simply switch nano out for another editor. You will also need to run this command as sudo to open and save the file.

sudo nano /etc/ssh/sshd_config

Updating the Config

Once you have the config file open, find the following option item PermitRootLogin and set it's value to "no".

PermitRootLogin no

After that has been set, save & close the file. With nano, the shortcuts are CTRL + o, then ENTER to confirm and save the file. Then CTRL + x to close the file.

Applying the Update

To apply the update to the server, like most things relating to server configuration, you will need to restart the SSH services. The exact command to do this can vary between the different Linux flavors. These are the common ways it can be done.

sudo service ssh restart

sudo systemctl restart ssh

sudo /etc/init.d/sshd restart

Testing

To test this has all worked, it's recommended that you keep your current terminal window logged in, and open up a new one to test. This is so that if something unexpected has happened you can revert the changes. Then we simply want to attempt to login to the root SSH account.

ssh -p PORT root@hostname

As always, just remember to swap out the port and hostname. This should attempt to log you in and if the test was successful you should see an error message saying Permission denied (publickey).

Once you see that error message, that's it. Your server is now protected from people logging in as root and a small extra layer of security has been added to your server.



Ready to secure your servers?
Get started for free today.

Copyright © 2020 ServerAuth.com, All Rights Reserved. | Terms of Service | Privacy Policy