Disable external SSH root login

CentOS Sep 6, 2017

If you set up a new server, you should follow a few security configuration guidelines. One of them is to disable the external root login.

Why should I disable the root login?

As I showed in a few previous posts, security is important if you own and run a VPS. There are a lot of bots out there, which try to brute-force your root password, to get access to your server.

Here you can see the last lines of my SSH log:

[...] Did not receive identification string from [...]
[...] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[...] user=root
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2

Multiple IP's try to establish a SSH connection with the "root" user.  This is a special user account and has all rights and permissions.  External root login is activated by default. If disabled, bots also have  to guess the user name.

How do I disable the root login?

First, log into your server.

ssh root@SERVER_IP

If you now follow these steps, it is not longer possible to access your server this way. That's why we are now going to create a new user account (with root privileges).

Note: replace XYZ with a custom user name.

adduser XYZ

Enter your password in the next line

passwd XYZ

Add user to the wheel group to get root privileges:

gpasswd -a XYZ wheel

It is now important to try this account. Exit your current connection and ssh XYZ@SERVER_IP. Now type sudo bash to get root privileges. If you get an error like 'Permission denied...', you should not continue. Please make sure, if every previous command was executed correctly.

With the new user logged in, we can modify /etc/ssh/sshd_config:

nano /etc/ssh/sshd_config

Find the line starting with '#PermitRootLogin'
Uncomment and change this configuration to 'no'.
This line should look now like this:

PermitRootLogin no

The next step is to reload SSH daemon:

systemctl reload sshd

That is all. Try to login with your new credentials to see if the changes took action.

An optional step is to ban every root login with fail2ban.


Please comment below, if you have any questions.

Tested on:

  • OS: CentOS 7

Credits:

Tags

Stefan

Howdy! I'm Stefan and I am the main author of this blog. If you want know more, you can check out the 'About me' page.

Impressum | Data Privacy Policy | Disclaimer
Copyright: The content is copyrighted and may not be reproduced on other websites without permission.