Securing Root by Disabling Password Login

, posted

It is generally not advised to use root as the main account on a server. There are various reasons for that. For instance, with root privileges we could break the system easily if a single command goes wrong. Moreover, while installing new software or packages as root, the packages being downloaded get the permission to write anywhere on the file system.

It is even worse to login as root over SSH using password authentication because attackers can potentially gain access to the system with a dictionary or brute force attack.

Well that is enough to ditch the root and setup a new or secondary user account equipped with sudo privileges, which is also recommended by many distributions.

Create New User account

Here is how to create a new user account on linux. Assuming you are logged in as root, run the following command to create a new user namely wired.

$ useradd wired

Now to setup the password for the new account, run:

$ passwd wired
New password:
Retype new password:

Type the password and confirm for second time. The letters won’t be visible on the screen for obvious reason. We are creating the password based authentication for new account but it is safer to use SSH keys instead of password, which you can setup later.

Equip with Admin Privileges

In order to equip new user with admin or root privileges we have two methods.

  1. Adding the user to /etc/sudoers file. Run the below command and
vi /etc/sudoers

This command will launch text editor, enter into insert mode by pressing key i, append the username wired to the file, save and exit by hitting :wq

  1. Adding the user to sudo group

This is the second method to add the new user to the sudo group

usermod -aG sudo wired

Disabling Root Password Login

Note: You can disbale the root login password and still access the root account using SSH Keys, but the keys should be setup prior disabling the password login.

To disable SSH access, edit the ‘sshd_config’ file:

vim /etc/ssh/sshd_config

Look for the line reading “PermitRootLogin”, uncomment it and set its value to prohibit-password. In case you want to disable the root login completely set the value from prohibit-password to no.

PermitRootLogin prohibit-password

Save your changes and restart the SSH daemon.

systemctl restart ssh

Now, even if someone tries to login using the root password, they will not be able to login over SSH using a password. However if you got the SSH Keys setup you can still login into your machine, which is recommended way anyway.

That is all for today. If you found this post useful consider sharing it with friends & subscribe for regular posts using RSS or Telegram.

Reply via mail

Your Signature