Disable root login and root user
This post is part of the series ‘Setting up Ubuntu Server and make it secure’.
It is presumed that you have a plain Ubuntu Server installed and you didn’t create your own user yet.
It is strongly recommended to disalbe SSH root login, because most of the hackers try the user root. If you have disabled the login of root, they have to first guess your username and then the corresponding password.
Step by step
- login to your server as root over SSH
- Create you own user:
- Add the new user to sudo group (so that you can use sudo)
adduser UserName sudo
- This step is optional, but I recommend to use a different password between your SSH login and the sudo password. So if someone has the password of UserName, he can’t do as much harm as if he is root. You can add the following line in
. That causes requesting the root’s password instead of your own if you use sudo.
- login to your server as UserName via SSH. Use a second terminal for this, to keep the current root session open!Keep this session open, until all steps are finished. This is the backup terminal, in case you lock your self out (which shouldn’t happen if you follow step by step).
- You should now be logged in as UserName. Check if you are able to use sudo:
This should first request the password of root and then output something like
uid=0(root) gid=0(root) groups=0(root)
- Ok, now let’s disable SSH root login. Use
sudo nano /etc/ssh/sshd_config
- Restart SSH daemon so that these changes take place:
sudo service ssh restart
- Now try to login as root over SSH and you should get the error:
- You are done. Close all the terminals
If you need to execute a command as root, you can use
or open a root shell with
Logging in with private key instead of password
You can use private and public key combination to login to your server instead of using your password, which is more secure.
To generate the key pair, execute the following command in your shell (or use PuTTY Key Generator on Windows):
ssh-keygen -t rsa -b 2048
When asked for a password, you should enter the passwort to encrypt your private key.
Then copy the public key to the server:
ssh-copy-id -i .ssh/id_rsa.pub UserName@example.com
Open PuTTY Key Generator (which comes with standard PuTTY installation) and change the key size to 2048 and klick ‘Generate’ to generate the keys.
Save them somewhere secure on your PC.
Now login to your server with your password and create the .ssh directory:
mkdir ~/.ssh chmod 700 ~/.ssh
Add the public key to the ~/.ssh/authorized_keys2 file. The key must be pasted as one single line without linebreaks.
The line should then look like
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBkd ... LOTS OF CHARS ... ETpGUqw== Key Description/Comment
Now configure PuTTY to use your private key under Connection -> SSH -> Auth -> Private key file.
Disable password login:
After you created private and public key for login, you can disable password login, which makes your server even more secure. If you are sure, that you will only use key authentication, enable and set the following line in
and restart ssh service
service ssh restart
BACK TO MAIN POST