Prevent SSH Root Login

Today’s article will tell you how, and why you’d want to, disable root login via SSH. It’s actually a brief article and approachable by even a beginner with SSH. If you have SSH enabled, then you may want to make sure to do this.

In some cases, like Ubuntu, the root account is disabled by default. That’s generally a good thing. In that case, this article may be important to you if you’ve enabled root login. This article may also be of interest for those who have changed the port SSH uses. Even if logging in as root is already disabled, it won’t hurt to disable it via SSH. Even if the port has been changed, disabling SSH root login won’t hurt.

So, why would you want to disable root login for SSH? Well, it’s a known account – meaning ‘root’ is pretty standard across the distros. An attacker already has half the information – the name of the account. It’s also an account that has the keys to the kingdom. If you have control of the root account, you have complete control of the system. This is fine if it’s your system and you with the root account, it’s less appreciated when it’s someone else that has control of your devices.

This article is actually pretty easy and is a step I suggest everyone take. What it does is it prevents root login via SSH entirely. It’s a simple step to make your computer more secure by preventing SSH root login. You can still login with other accounts and use sudo, so it’s really not limiting your ability to control the system.

Prevent SSH Root Login:

Like many other articles on this site, this one needs an open terminal. You can open your terminal with your keyboard – just press CTRL + ALT + T and your default terminal should open.

Once you have your terminal open, enter the following command:

sudo nano /etc/ssh/sshd_config

Once that’s open, you’re looking for #PermitRootLogin no. When you find that line, you simply want to remove the # symbol. The end result should look like this:

PermitRootLogin no

In some default configurations, you may see #PermitRootLogin prohibit-password instead. If you uncomment that line, you could still login as root – you just can’t login with a password and would have to use a key like in this article about SSH keys.

In that case, when the line doesn’t exist or is changed, you can just add the line yourself. It won’t hurt anything and will still work. So, just find a blank section in the config file, add a new blank line, and then add the PermitRootLogin no like above.

Once you’re done, you need to save the file. As we’re using nano, you do that by pressing CTRL + X, then Y, and then ENTER. That should save the file with the correct name.

Finally, you will want to reload SSH. That’s easy enough, you reload SSH with the following command:

sudo systemctl reload sshd

That’s it, that’s all you need to do! Once you’ve done that, and you can test it yourself. You shouldn’t be able to login to SSH with the root account, which is a pretty solid security idea. If you can’t login as root, nobody else should be able to login as root.

By the way, if you decide you want to undo this – just go back into the config file and add a # at the start of the line, save it, and restart the sshd daemon. 

Closure:

That’s it. Thanks for reading yet another article! This one is pretty quick and easy, plus it will help you increase your server’s security. There really aren’t many reasons to have SSH root login enabled, and disabling it completely removes that attack vector.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.