All Posts

How to disable SSH root login on Linux

Posted by Mike on June 9th, 2020
disable-root-login.jpeg

This short tutorial aims to build on some of the previous basic server security tips and add some small, extra layers of security to your server.

The root user on any server is essentially a "god user" and has permission to do anything. After the initial setup of a server, if the server has been set up sensibly with different users for different access levels, there should be no reason to login as the root user again unless you need to perform some server maintenance.

Out of the box, you can SSH onto your server as the root user so if a malicious user gains knowledge of your root password or somehow gets your SSH keys, your server will become their little playground. They will be able to do anything they like with your server! Let's fix that!

Opening the SSH Config

First, SSH onto your server using the command below, just switch out the placeholders for your details.

ssh -p PORT username@hostname

For most servers, the SSH config can be found within /etc/ssh/ and it should be called sshd_config. In my command examples, I'll be using "nano" as my editor of choice to edit the configs but you can simply switch nano out for another editor. You will also need to run this command as sudo to open and save the file.

sudo nano /etc/ssh/sshd_config

Updating the Config

Once you have the config file open, find the following option item PermitRootLogin and set it's value to "no".

PermitRootLogin no

After that has been set, save & close the file. With nano, the shortcuts are CTRL + o, then ENTER to confirm and save the file. Then CTRL + x to close the file.

Applying the Update

To apply the update to the server, like most things relating to server configuration, you will need to restart the SSH services. The exact command to do this can vary between the different Linux flavors. These are the common ways it can be done.

sudo service ssh restart

sudo systemctl restart ssh

sudo /etc/init.d/sshd restart

Testing

To test this has all worked, it's recommended that you keep your current terminal window logged in, and open up a new one to test. This is so that if something unexpected has happened you can revert the changes. Then we simply want to attempt to login to the root SSH account.

ssh -p PORT root@hostname

As always, just remember to swap out the port and hostname. This should attempt to log you in and if the test was successful you should see an error message saying Permission denied (publickey).

Once you see that error message, that's it. Your server is now protected from people logging in as root and a small extra layer of security has been added to your server.

Server Management & Security doesn't have to be a full time job.

ServerAuth provides a whole host of management tools, from controlling who can access your server, to adding cron jobs, securing your servers and installing packages. And with an ever growing suite of tools you'll always be one step ahead!

Start for free
Server Management Software Screenshot
ServerAuth
Server Management & SSH Security Software
 on Twitter
Copyright © ServerAuth Ltd
Registered in England No. 13996293
All Rights Reserved.
Solutions
Support
Customers
ServerAuth
The Legal Bits