How to disable the SSH root user login for enhanced server security

How to disable the SSH root user login for enhanced server security

Disabling your server's root user SSH login is a simple way to step up the security of your server. In this short guide we not only show you how to disable SSH login for the root user but also how to securely create a new SSH user to log on to your server with.

If you lack the confidence or the time to manage your own web site and server then speak to us about our competitively priced hosting plans.

Step 1 - Create a new sudo user to replace the SSH root user

Type the following at the command prompt (replacing username with the name of your new user):

# adduser username

You'll be asked to specify and confirm a password. Remember to specify a strong password and keep it safe:

Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

You will be asked to specify further information about this new user:

Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:

Now add this user to the sudo group with the following command:

# usermod -aG sudo username

Now we can log in as our new user:

# su username

Now try running a command with superuser privileges by by prefixing 'sudo' to the command:

$ sudo apt-get update

The first time you use 'sudo' in a session you will be asked for your password:

[sudo] password for username:

Step 2 - Specify the new user's SSH public key

While logged in as your new user type:

$ cd ~

This will navigate you back to your home directory. You can check you are in the right place by typing:

$ pwd

This command stands for Print Working Directory and outputs where we currently are:

/home/username

On a default Ubuntu setup, a user's SSH public key will need to be listed in a file called authorized_keys. The authorized_keys file needs to be located in a folder called .ssh (note the first character is a period) in the user's home folder. At this step we will use the vi editor as, although more tricky to use, the vi editor is better at handling the pasting long lines of text into files (we don't want the contents of the public key to be damaged by word wrapping). Run the following commands:

$ mkdir .ssh
$ cd .ssh
$ vi authorized_keys

Once you are in the vi editor...

  1. press SHIFT+i on your keyboard to enter INSERT mode.
  2. copy the contents of the public key into the file.
  3. press ESC to exit INSERT mode.
  4. press the colon key (e.g. SHIFT+; to reach the : character on the keyboard). A colon is displayed at the bottom left of the screen. This is the vi command line.
  5. Enter wq at the command line (short for write quit) to write out the authorized_keys file and exit the vi editor.

Now enter the following commands:

$ chmod 600 ./authorized_keys
$ cd ..
$ chmod 700 ./.ssh
$ sudo service ssh restart

Now try logging into the server using SSH as the new user.

Step 3 - Disable SSH root user login

Now we have a user that is able to log in via SSH and execute privileged commands we can disable the SSH root user's access. To edit the relevant configuration file we will now use the nano editor, which is slightly more user friendly. Type the following at the command line:

$ sudo nano /etc/ssh/sshd_config

Scroll down to the following line:

PermitRootLogin yes

Change it to:

PermitRootLogin no

Press CTRL+x on the keyboard to save and exit.

Finally, type:

$ sudo service ssh restart

Test that the server rejects any attempt to log in as root via SSH.

Lumina Consultancy are software programming, web development and web security specialists.

We build it, we host it, and we keep it safe.

Please get in touch to learn more about us and our work.

© 2022 Lumina Consultancy Limited | UK Company Registration No: 10627969