ReadFromFile.com

Disable external SSH root login

CentOS Sep 6, 2017

If you set up a new server, you should follow a few security configuration guidelines. One of them is to disable the external root login.

Why should I disable the root login?

As I showed in a few previous posts, security is important if you own and run a VPS. Bots exists, which try to brute-force your root password, to get access to your server.

Here you can see the last lines of my SSH log:

[...] Did not receive identification string from [...]
[...] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[...] user=root
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2

Multiple IP's try to establish a SSH connection with the "root" user. This is a special user account and has privileged permissions. External root login is activated by default.

How do I disable the root login?

The examples below will edit the configuration on a native host. To keep changes documented, persistent and reproducible, use a configuration management tool.

First, SSH into your server. The root user will later not be accessible. If you currently only have the root user, you will lose access to your server. That's why we are now going to create a new user account (with root privileges).

Note: replace XYZ with a custom user name.

adduser XYZ

Enter your password in the next line

passwd XYZ

Add user to the wheel group to get root privileges. This is done for CentOS. Please check the required groups, if you use another operating system.

gpasswd -a XYZ wheel

It is now important to try this account. Exit your current connection and ssh XYZ@SERVER_IP. Now type sudo su - to get root privileges. If you get an error like 'Permission denied...', you should not continue. Please make sure, that every previous command was executed correctly.

With the new user logged in, we can modify /etc/ssh/sshd_config:

vi /etc/ssh/sshd_config

Find the line starting with '#PermitRootLogin'
Uncomment and change this configuration to 'no'.
This line should look now like this:

PermitRootLogin no

The next step is to reload the SSH daemon:

systemctl reload sshd

That is all. Try to login with your new credentials to see if the changes took action.

An additional step is to ban every root login with fail2ban.

Tested on:

  • OS: CentOS 7

Credits:

Tags

Stefan

Howdy! I'm Stefan and I am the main author of this blog. If you want know more, you can check out the 'About me' page.

Recommended for you

Impressum | Data Privacy Policy | Disclaimer
Copyright: The content is copyrighted and may not be reproduced on other websites without permission.