Subscribe to How-To Geek

Login / Signup

Security Tip: Disable Root SSH Login on Linux

One of the biggest security holes you could open on your server is to allow directly logging in as root through ssh, because any cracker can attempt to brute force your root password and potentially get access to your system if they can figure out your password.

It's much better to have a separate account that you regularly use and simply sudo to root when necessary. Before we begin, you should make sure that you have a regular user account and that you can su or sudo to root from it.

To fix this problem, we'll need to edit the sshd_config file, which is the main configuration file for the sshd service. The location will sometimes be different, but it's usually in /etc/ssh/. Open the file up while logged on as root.

vi /etc/ssh/sshd_config

Find this section in the file, containing the line with "PermitRootLogin" in it.

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

Make the line look like this to disable logging in through ssh as root.

PermitRootLogin no

Now you'll need to restart the sshd service:

/etc/init.d/sshd restart

Now nobody can brute force your root login, at least.

The Geek is the founder of How-To Geek and a geek enthusiast. When he's not coming up with great how-to articles, he's probably writing at his personal blog. This article was written on 10/5/07 and tagged with: Linux

Comments (2)

  1. October 5, 2007 6:44 am
    Matt

    This is a very smart security tip, especially the reminder to make sure you can still su / sudo without root ssh access!

    I often also set up 'su' so that only certain users can run it using either the wheel or admin group (depending on the flavor of *nix). Something like:

    1. Log in as root
    2. Add a user that you want to have access to 'su' to this group.
    3. cd to wherever su is located
    4. chgroup groupname su
    5. chmod 4750 su

    If you don't have console access to the machine, it's extremely important that you never forget your password, else you're pretty much locked out of ever getting back into the root account. One way around that problem I found was to create a second account in this group that I never ever use with an incredibly long and complex password that I keep in a safe place.

    These are a lot of layers, but IMHO totally worth it when it comes to basic root account security.

  2. October 5, 2007 6:55 am
    The Geek

    Great followup tip!

    Always love it when the readers add really useful information.


Leave a Comment




Leave your friendly comment here. If you have a computer help question, leave it on the forums instead.

Note: Your comment may not show up immediately on the site.

Recent Articles

Related Articles

Sponsored Links
Getting Started
About How-To Geek
Popular Articles

Copyright © 2006-2008 HowToGeek.com. All Rights Reserved.