Disable external SSH root login
If you set up a new server, you should follow a few security configuration guidelines. One of them is to disable the external root login.
Why should I disable the root login?
As I showed in a few previous posts, security is important if you own and run a VPS. There are a lot of bots out there, which try to brute-force your root password, to get access to your server.
Here you can see the last lines of my SSH log:
[...] Did not receive identification string from [...] [...] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[...] user=root [...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" [...] Failed password for root from [...] port 41776 ssh2 [...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" [...] Failed password for root from [...] port 41776 ssh2 [...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" [...] Failed password for root from [...] port 41776 ssh2
Multiple IP's try to establish a SSH connection with the "root" user. This is a special user account and has all rights and permissions. External root login is activated by default. If disabled, bots also have to guess the user name.
How do I disable the root login?
First, log into your server.
If you now follow these steps, it is not longer possible to access your server this way. That's why we are now going to create a new user account (with root privileges).
Note: replace XYZ with a custom user name.
Enter your password in the next line
Add user to the wheel group to get root privileges:
gpasswd -a XYZ wheel
It is now important to try this account. Exit your current connection and ssh XYZ@SERVER_IP. Now type sudo bash to get root privileges. If you get an error like 'Permission denied...', you should not continue. Please make sure, if every previous command was executed correctly.
With the new user logged in, we can modify /etc/ssh/sshd_config:
Find the line starting with '#PermitRootLogin'
Uncomment and change this configuration to 'no'.
This line should look now like this:
The next step is to reload SSH daemon:
systemctl reload sshd
That is all. Try to login with your new credentials to see if the changes took action.
An optional step is to ban every root login with fail2ban.
Please comment below, if you have any questions.
- OS: CentOS 7
- Post photo by Micah Williams on Unsplash