Security

Prevent SSH Root Login

Today’s article will tell you how, and why you’d want to, disable root login via SSH. It’s actually a brief article and approachable by even a beginner with SSH. If you have SSH enabled, then you may want to make sure to do this.

In some cases, like Ubuntu, the root account is disabled by default. That’s generally a good thing. In that case, this article may be important to you if you’ve enabled root login. This article may also be of interest for those who have changed the port SSH uses. Even if logging in as root is already disabled, it won’t hurt to disable it via SSH. Even if the port has been changed, disabling SSH root login won’t hurt.

So, why would you want to disable root login for SSH? Well, it’s a known account – meaning ‘root’ is pretty standard across the distros. An attacker already has half the information – the name of the account. It’s also an account that has the keys to the kingdom. If you have control of the root account, you have complete control of the system. This is fine if it’s your system and you with the root account, it’s less appreciated when it’s someone else that has control of your devices.

This article is actually pretty easy and is a step I suggest everyone take. What it does is it prevents root login via SSH entirely. It’s a simple step to make your computer more secure by preventing SSH root login. You can still login with other accounts and use sudo, so it’s really not limiting your ability to control the system.

Prevent SSH Root Login:

Like many other articles on this site, this one needs an open terminal. You can open your terminal with your keyboard – just press CTRL + ALT + T and your default terminal should open.

Once you have your terminal open, enter the following command:

sudo nano /etc/ssh/sshd_config

Once that’s open, you’re looking for #PermitRootLogin no. When you find that line, you simply want to remove the # symbol. The end result should look like this:

PermitRootLogin no

In some default configurations, you may see #PermitRootLogin prohibit-password instead. If you uncomment that line, you could still login as root – you just can’t login with a password and would have to use a key like in this article about SSH keys.

In that case, when the line doesn’t exist or is changed, you can just add the line yourself. It won’t hurt anything and will still work. So, just find a blank section in the config file, add a new blank line, and then add the PermitRootLogin no like above.

Once you’re done, you need to save the file. As we’re using nano, you do that by pressing CTRL + X, then Y, and then ENTER. That should save the file with the correct name.

Finally, you will want to reload SSH. That’s easy enough, you reload SSH with the following command:

sudo systemctl reload sshd

That’s it, that’s all you need to do! Once you’ve done that, and you can test it yourself. You shouldn’t be able to login to SSH with the root account, which is a pretty solid security idea. If you can’t login as root, nobody else should be able to login as root.

By the way, if you decide you want to undo this – just go back into the config file and add a # at the start of the line, save it, and restart the sshd daemon. 

Closure:

That’s it. Thanks for reading yet another article! This one is pretty quick and easy, plus it will help you increase your server’s security. There really aren’t many reasons to have SSH root login enabled, and disabling it completely removes that attack vector.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

KGIII

Retired mathematician, residing in the mountains of Maine. I may be old and wise, but I am not infallible. Please point out any errors. And, as always, thanks again for reading.

Recent Posts

Enable/Disable Your Network Interface

Today we'll cover one way to enable or disable your network interface in the Linux…

6 months ago

Check Your NIC Speed In The Terminal

Today's exercise is a nice and simple exercise where we check your NIC speed in…

6 months ago

Easily Monitor Your Wireless Connection

Have you ever wanted to easily monitor your wireless connection? Well, now you can learn…

6 months ago

Count The Files In A Directory

I think I've covered this before with the ls command but this time we'll count…

6 months ago

Get System Information With The ‘uname’ Command In Linux

Today we'll be learning about a basic Linux command that's known as 'uname' and it…

6 months ago

hardinfo Has Been Rebooted As hardinfo2

If you've used hardinfo in the past, it may interest you to know that hardinfo…

6 months ago