News about our company, tutorials about IT and much more you will find in this page.
Everyone knows that Linux systems comes with root user access and by default the root access is enabled for outside world.
For security reason it’s not a good idea to have ssh root access enabled for unauthorized users. Because any hacker can try to brute force your password and gain access to your system.
Disable Root Login
Disable SSH Root Login
So, its better to have another account that you regularly use and then switch to root user by using ‘su -‘ command when necessary. Before we start, make sure you have a regular user account and with that you su or sudo to gain root access.
In Linux, it’s very easy to create separate account, login as root user and simply run the ‘adduser‘ command to create separate user. Once user is created, just follow the below steps to disable root login via SSH.
We use sshd master configuration file to disable root login and this will may decrease and prevent the hacker from gaining root access to your Linux box. We also see how to enable root access again as well as how to limit ssh access based on users list.
Disable SSH Root Login
To disable root login, open the main ssh configuration file /etc/ssh/sshd_config with your choice of editor.
Search for the following line in the file.
Remove the ‘#‘ from the beginning of the line. Make the line look like similar to this.
Next, we need to restart the SSH daemon service.
Now try to login with root user, you will get “Access Denied” error.
login as: root Access denied email@example.com's password:
So, from now onwards login as normal user and then use ‘su’ command to switch to root user.
login as: evoluso Access denied firstname.lastname@example.org's password: Last login: Tue Oct 16 17:37:56 2014 from 192.168.1.256
Enable SSH Root Login
To enable ssh root logging, open the file /etc/ssh/sshd_config.
Search for the following line and put the ‘#‘ at the beginning and save the file.
# PermitRootLogin no
Restart the sshd service.
Now try to login with root user.
login as: root Access denied email@example.com's password: Last login: Tue Nov 20 16:51:41 2014 from 192.168.1.256 [root@evoluso ~]#
Limit SSH User Logins
If you have large number of user accounts on the systems, then it makes sense that we limit remote access to those users who really need it. Open the /etc/ssh/sshd_config file.
Add an AllowUsers line at the bottom of the file with a space separated by list of usernames. For example, user tecmint and sheena both have access to remote ssh.
AllowUsers evoluso sheena
Now restart ssh service.