CentLinux

Linux Server, DevOps, Kubernetes, and Beyond

How to Disable SSH Root Login in Linux 9

Share on Social Media

Disable SSH root login to enhance your Linux server security. Learn step-by-step how to configure and implement this crucial security measure on Linux 9 to protect your system from unauthorized access. #centlinux #linux #ssh

What is SSH?

SSH stands for Secure Shell. It is a network protocol that provides a secure way for remote access and management of network devices and systems. It allows users to securely log in to a remote computer over a network, execute commands on the remote machine, and transfer files between the local and remote machines.

SSH encrypts all the data transmitted between the client and server, preventing any unauthorized access to the information. This makes it a secure and reliable method for remote access and management of network systems.

SSH uses a client-server model, where the client initiates a connection to the server, and both parties authenticate each other using digital certificates or passwords. Once the connection is established, the client can securely communicate with the server over the encrypted tunnel.

SSH is widely used for remote server administration, file transfers, and tunneling applications. It is supported by most operating systems, including Windows, Linux, and macOS.

Read Also: How to Disable SSH Login for root CentOS 8

Disable SSH Root Login in Linux
Disable SSH Root Login in Linux

What is SSH Root Login?

SSH root login refers to the ability to log in directly to a system as the root user using the SSH protocol. The root user is the superuser or administrative account in Unix-like operating systems, including Linux. It has unrestricted access to all files and commands on the system, making it extremely powerful and potentially dangerous if misused.

Enabling SSH root login means allowing direct access to the root account over a network using SSH. However, it is generally considered a security risk to allow SSH root login for several reasons:

  1. Increased Vulnerability: Granting root access over SSH increases the risk of unauthorized access to the system. Attackers commonly target root accounts as they provide unrestricted control over the system.
  2. Audit Trail: Allowing direct root login can make it difficult to track user activity and maintain an audit trail of administrative actions performed on the system. It’s preferable to have administrators log in with individual accounts and use sudo or su to perform administrative tasks.
  3. Mitigation of Mistakes: Allowing direct root login increases the likelihood of accidental system changes or deletions. By requiring administrators to authenticate themselves with individual accounts before accessing root privileges, it adds an extra layer of protection against unintentional errors.

For these reasons, it’s recommended to disable SSH root login and instead use SSH key-based authentication or enforce the use of individual user accounts with sudo privileges for administrative tasks. This helps enhance the security posture of the system and mitigate the risk of unauthorized access or accidental damage.

Recommended Training: Secure Shell (SSH) essentials: a hands-on guide from Ahmed Elfakharany.

1735124 74b1 6

Create a Linux Admin User

By using ssh command, login to your Rocky Linux server as root user.

# ssh root@192.168.116.128
The authenticity of host '192.168.116.128 (192.168.116.128)' can't be established.
ED25519 key fingerprint is SHA256:0HIa3JkQYbEmBNv/W6RyztUXEmxtgCheMZSSErNWi5E.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.116.128' (ED25519) to the list of known hosts.
root@192.168.116.128's password:
Last login: Thu May  4 08:40:40 2023 from 192.168.116.1

To enhance security and reduce reliance on the root user, it’s advisable to create a dedicated Linux admin user as an alternative to the default superuser. This newly created admin user will serve as your primary access point for SSH sessions once root login has been disabled. By using a non-root admin user, you minimize the risk of unauthorized access and better manage permissions.

To create a Linux admin user and assign a password for it, execute the following commands in your Linux terminal. This will establish a secure and effective alternative for system administration tasks, ensuring proper access control and minimizing the potential attack surface.

# adduser ahmer
# passwd ahmer
Changing password for user ahmer.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

To grant the newly created admin user the necessary privileges for executing administrative tasks, you’ll need to edit the /etc/sudoers file. This can be done using the Vim text editor, or alternatively, you can execute the visudo command, which is the recommended and safer method. The visudo command ensures proper syntax checking to prevent any errors that could lock you out of the system due to a misconfigured sudoers file. By editing this file, you will define the permissions and ensure that your new admin user has the appropriate rights to perform tasks requiring elevated privileges.

# visudo

Add following line in this file to grant sudo permissions to your Admin user.

ahmer   ALL=(ALL)       ALL

Disable SSH Root Login

The configuration files for SSH are typically stored in the /etc/ssh directory on most Linux systems. To begin disabling root login over SSH, you need to edit the 01-permitrootlogin.conf file, which controls the settings for root access. This file is pre-existing in a minimal installation of Rocky Linux 9, so you can directly modify it using the Vim text editor. If you’re working with other Linux distributions, however, you may need to create this configuration file manually before proceeding. Once you’ve located or created the file, you can make the necessary changes to restrict root login via SSH, thereby enhancing the security of your server by ensuring that administrative access is only possible through a non-root user.

# vi /etc/ssh/sshd_config.d/01-permitrootlogin.conf

Locate and set following directive in this file.

PermitRootLogin no

After making the necessary changes to the SSH configuration file, it is essential to restart the SSH daemon in order for the changes to take effect. This process ensures that the updated settings are properly applied, and the server begins enforcing the new restrictions on root access. You can restart the SSH daemon by executing the appropriate command on the terminal, which will reload the configuration files and establish the updated security parameters. Restarting the daemon is a crucial step to ensure your SSH server functions according to the modified settings, helping to maintain the security and integrity of your Linux system.

# systemctl restart sshd.service

Now, try to create a SSH session as root user.

# ssh root@192.168.116.128
root@192.168.116.128's password:
Permission denied, please try again.

A ‘Permission denied’ message confirms that the SSH root logins has been disabled successfully. However, you can still obtain a SSH Shell by using the alternate Admin user that you have created at the start of this tutorial.

Video to Disable SSH Root Login

YouTube player

Final Thoughts

Disable SSH root login is a critical step toward bolstering your server’s security. By limiting direct root access, you reduce the risk of brute-force attacks and unauthorized system changes. Always ensure you have a non-root user with administrative privileges set up before making this change to avoid losing access to your server. With these configurations in place, your Linux 9 environment will be more secure and resilient against potential threats.

Need a dependable Linux system administrator? I specialize in managing, optimizing, and securing Linux servers to keep your operations running flawlessly. Check out my services on Fiverr!

Looking for something?

Leave a Reply