Disable Root Login Linux Server
Secure your Linux server by disabling direct root login and adding an extra layer of security.
Introduction
In order to secure your Linux server, it is a good practice to disable direct root login. By doing so, you prevent malicious users from gaining access to the root account, which has the highest level of access and privileges on the server.
Disabling direct root login means that you will no longer be able to log in to the server as the root user, instead, you will need to log in as a regular user and then use the "sudo" command to perform administrative tasks. This adds an extra layer of security to your server by requiring an additional step before granting root access.
The process of disabling direct root login involves making changes to the SSH configuration file on your server. You will need to create a new user account with administrative privileges, edit the SSH configuration file to disallow root login and restart the SSH service to apply the changes.
Infrastructure
Signup to KodeKloud - Engineer for practicing this task hands-on.
Task Details
After doing some security audits of servers, the xFusionCorp Industries security team has implemented some new security policies. One of them is to disable direct root login through SSH.
Disable direct SSH root login on all app servers in Stratos Datacenter.
Perform the below commands based on your question server, user name & other details might differ. So please read the task carefully before executing it. All the Best 👍
Solution:
Server Name | IP | Hostname | User | Password | Purpose |
stapp01 | 172.16.238.10 | tony | Ir0nM@n | Nautilus App 1 | |
stapp02 | 172.16.238.11 | steve | Am3ric@ | Nautilus App 2 | |
stapp03 | 172.16.238.12 | banner | BigGr33n | Nautilus App 3 |
1. Login on the App server as per the task and switch root user
hor@jump_host /$ ssh tony@stapp01
The authenticity of host 'stapp01 (172.16.238.10)' can't be established.
ECDSA key fingerprint is SHA256:8gbDU2yvj4ePwnTM4S/7yX2IhNGXvei+SRsoArApmhE.
ECDSA key fingerprint is MD5:42:78:49:e0:3f:b4:e4:b9:96:40:c9:9c:9c:ca:d6:b0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'stapp01,172.16.238.10' (ECDSA) to the list of known hosts.
tony@stapp01's password:
[tony@stapp01 ~]$ sudo su -
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for tony:
[root@stapp01 ~]#
A brief description of the commands "ssh" and "sudo su-" is given in Essential Linux Commands
2. Edit the /etc/ssh/sshd_config file and correct the changes as per below
[root@stapp01 ~]# cat /etc/ssh/sshd_config | grep PermitRoot
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
[root@stapp01 ~]#
Replace the "#PermitRootLogin" yes with "PermitRootLogin" no
root@stapp01 ~]# vi /etc/ssh/sshd_config
[root@stapp01 ~]# cat /etc/ssh/sshd_config | grep PermitRoot
PermitRootLogin no
# the setting of "PermitRootLogin without-password".
[root@stapp01 ~]#
3. Restart the service
[root@stapp01 ~]# systemctl restart sshd && systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-06-11 14:05:14 UTC; 5ms ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 139 (sshd)
CGroup: /docker/061bee497c9084d31ff314a7186dbe055422f2a00f3541f71876cef7ab815dfd/system.slice/sshd.service
├─ 81 sshd: tony [priv]
├─ 83 sshd: tony@pts/0
├─ 84 -bash
└─139 /usr/sbin/sshd -D
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com sshd[139]: WARNING: 'UsePAM no' is not supported in Re...s.
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[139]: Executing: /usr/sbin/sshd -D
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com sshd[139]: Server listening on 0.0.0.0 port 22.
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com sshd[139]: Server listening on :: port 22.
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: Got notification message for unit sshd.service
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: sshd.service: Got notification message fro...1)
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: sshd.service: got READY=1
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: sshd.service changed start -> running
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: Job sshd.service/start finished, result=done
Jun 11 14:05:14 stapp01.stratos.xfusioncorp.com systemd[1]: Started OpenSSH server daemon.
Hint: Some lines were ellipsized, use -l to show in full.
[root@stapp01 ~]#
Please Note :- I have shown the process only for stapp01.
You have to do this in all app server stapp01,stapp02, stapp03.
Thank you so much for taking your valuable time to read
I took the initiative to learn in public and share my work with others. I tried my level best in squeezing as much information as possible in the easiest manner. Hope you learned something new today :)
Learn Essential Linux Commands
Signup to KodeKloud - Engineer for practicing these tasks hands-on.
In the next part of this blog, we will study 👇