How to disable the SSH root user login for enhanced server security
Disabling your server's root user SSH login is a simple way to step up the security of your server. In this short guide we not only show you how to disable SSH login for the root user but also how to securely create a new SSH user to log on to your server with.
If you lack the confidence or the time to manage your own web site and server then speak to us about our competitively priced hosting plans.
Step 1 - Create a new sudo user to replace the SSH root user
Type the following at the command prompt (replacing username with the name of your new user):
# adduser username
You'll be asked to specify and confirm a password. Remember to specify a strong password and keep it safe:
Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
You will be asked to specify further information about this new user:
Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other :
Now add this user to the sudo group with the following command:
# usermod -aG sudo username
Now we can log in as our new user:
# su username
Now try running a command with superuser privileges by by prefixing 'sudo' to the command:
$ sudo apt-get update
The first time you use 'sudo' in a session you will be asked for your password:
[sudo] password for username:
Step 2 - Specify the new user's SSH public key
While logged in as your new user type:
$ cd ~
This will navigate you back to your home directory. You can check you are in the right place by typing:
This command stands for Print Working Directory and outputs where we currently are:
On a default Ubuntu setup, a user's SSH public key will need to be listed in a file called authorized_keys. The authorized_keys file needs to be located in a folder called .ssh (note the first character is a period) in the user's home folder. At this step we will use the vi editor as, although more tricky to use, the vi editor is better at handling the pasting long lines of text into files (we don't want the contents of the public key to be damaged by word wrapping). Run the following commands:
$ mkdir .ssh $ cd .ssh $ vi authorized_keys
Once you are in the vi editor...
- press SHIFT+i on your keyboard to enter INSERT mode.
- copy the contents of the public key into the file.
- press ESC to exit INSERT mode.
- press the colon key (e.g. SHIFT+; to reach the : character on the keyboard). A colon is displayed at the bottom left of the screen. This is the vi command line.
- Enter wq at the command line (short for write quit) to write out the authorized_keys file and exit the vi editor.
Now enter the following commands:
$ chmod 600 ./authorized_keys $ cd .. $ chmod 700 ./.ssh $ sudo service ssh restart
Now try logging into the server using SSH as the new user.
Step 3 - Disable SSH root user login
Now we have a user that is able to log in via SSH and execute privileged commands we can disable the SSH root user's access. To edit the relevant configuration file we will now use the nano editor, which is slightly more user friendly. Type the following at the command line:
$ sudo nano /etc/ssh/sshd_config
Scroll down to the following line:
Change it to:
Press CTRL+x on the keyboard to save and exit.
$ sudo service ssh restart
Test that the server rejects any attempt to log in as root via SSH.
Lumina Consultancy are software programming, web development and web security specialists.
We build it, we host it, and we keep it safe.
Please get in touch to learn more about us and our work.
© 2021 Lumina Consultancy Limited | UK Company Registration No: 10627969 | VAT Registration No: 344 5130 25