Disable root login and root user

This post is part of the series ‘Setting up Ubuntu Server and make it secure’.

It is presumed that you have a plain Ubuntu Server installed and you didn’t create your own user yet.

Why?

It is strongly recommended to disalbe SSH root login, because most of the hackers try the user root. If you have disabled the login of root, they have to first guess your username and then the corresponding password.

Step by step

1. login to your server as root over SSH
2. Create you own user:

   adduser UserName

3. Add the new user to sudo group (so that you can use sudo)

   adduser UserName sudo

4. This step is optional, but I recommend to use a different password between your SSH login and the sudo password. So if someone has the password of UserName, he can’t do as much harm as if he is root. You can add the following line in

   /etc/sudoers

   . That causes requesting the root’s password instead of your own if you use sudo.

   Defaults        rootpw

5. login to your server as UserName via SSH. Use a second terminal for this, to keep the current root session open!Keep this session open, until all steps are finished. This is the backup terminal, in case you lock your self out (which shouldn’t happen if you follow step by step).
6. You should now be logged in as UserName. Check if you are able to use sudo:

   sudo id

   This should first request the password of root and then output something like

   uid=0(root) gid=0(root) groups=0(root)

7. Ok, now let’s disable SSH root login. Use

   sudo nano /etc/ssh/sshd_config

   and replace

   PermitRootLogin yes

   with

   PermitRootLogin no

8. Restart SSH daemon so that these changes take place:

   sudo service ssh restart

9. Now try to login as root over SSH and you should get the error:

   access denied

10. You are done. Close all the terminals

If you need to execute a command as root, you can use

sudo command

or open a root shell with

sudo -i

Logging in with private key instead of password

You can use private and public key combination to login to your server instead of using your password, which is more secure.

To generate the key pair, execute the following command in your shell (or use PuTTY Key Generator on Windows):

Linux:

ssh-keygen -t rsa -b 2048

When asked for a password, you should enter the passwort to encrypt your private key.

Then copy the public key to the server:

ssh-copy-id -i .ssh/id_rsa.pub UserName@example.com

Windows:

Open PuTTY Key Generator (which comes with standard PuTTY installation) and change the key size to 2048 and klick ‘Generate’ to generate the keys.
Save them somewhere secure on your PC.
Now login to your server with your password and create the .ssh directory:

mkdir ~/.ssh
chmod 700 ~/.ssh

Add the public key to the ~/.ssh/authorized_keys2 file. The key must be pasted as one single line without linebreaks.
The line should then look like

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBkd ... LOTS OF CHARS ... ETpGUqw== Key Description/Comment

Now configure PuTTY to use your private key under Connection -> SSH -> Auth -> Private key file.

Disable password login:

After you created private and public key for login, you can disable password login, which makes your server even more secure. If you are sure, that you will only use key authentication, enable and set the following line in

/etc/ssh/sshd_config

to no:

PasswordAuthentication no

and restart ssh service

service ssh restart

BACK TO MAIN POST

About these ads