This short tutorial aims to build on some of the previous basic server security tips and add some small, extra layers of security to your server.
root user on any server is essentially a "god user" and has permission to do anything. After the initial setup of a server, if the server has been set up sensibly with different users for different access levels, there should be no reason to login as the root user again unless you need to perform some server maintenance.
Out of the box, you can SSH onto your server as the root user so if a malicious user gains knowledge of your root password or somehow gets your SSH keys, your server will become their little playground. They will be able to do anything they like with your server! Let's fix that!
Opening the SSH Config
First, SSH onto your server using the command below, just switch out the placeholders for your details.
ssh -p PORT username@hostname
For most servers, the SSH config can be found within
/etc/ssh/ and it should be called
sshd_config. In my command examples, I'll be using "nano" as my editor of choice to edit the configs but you can simply switch nano out for another editor. You will also need to run this command as
sudo to open and save the file.
sudo nano /etc/ssh/sshd_config
Updating the Config
Once you have the config file open, find the following option item
PermitRootLogin and set it's value to "no".
After that has been set, save & close the file. With nano, the shortcuts are
CTRL + o, then
ENTER to confirm and save the file. Then
CTRL + x to close the file.
Applying the Update
To apply the update to the server, like most things relating to server configuration, you will need to restart the SSH services. The exact command to do this can vary between the different Linux flavors. These are the common ways it can be done.
sudo service ssh restart sudo systemctl restart ssh sudo /etc/init.d/sshd restart
To test this has all worked, it's recommended that you keep your current terminal window logged in, and open up a new one to test. This is so that if something unexpected has happened you can revert the changes. Then we simply want to attempt to login to the root SSH account.
ssh -p PORT root@hostname
As always, just remember to swap out the port and hostname. This should attempt to log you in and if the test was successful you should see an error message saying
Permission denied (publickey).
Once you see that error message, that's it. Your server is now protected from people logging in as root and a small extra layer of security has been added to your server.