Disable Direct Root Logins Published: Oct 28, 2003
  • Rating


Allowing the root user to login directly is a major security issue, we'll show you how to disable it.

Allowing the root user to login directly is a major security issue, we'll show you how to disable it so you can still login as root but just not directly, reducing the security issue.

This will force a hacker to have to guess 2 seperate passwords to gain root access.
(you do have 2 seperate passwords for admin and root right?)
What happens is you'll first need to login as your admin user in SSH, then switch to the super user with the su command to get root.

We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol
Just a couple more ways to help your server stay safe from the bad guys. If you're using cPanel make sure you add your admin user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.

1. SSH into your server as 'admin' and gain root access by su 

2. Copy and paste this line to edit the file for SSH logins   
pico -w /etc/ssh/sshd_config

3. Find the line
Protocol 2, 1 

4. Uncomment it and change it to look like
Protocol 2

5. Next, find the line
PermitRootLogin yes

6. Uncomment it and make it look like PermitRootLogin no 

7. Save the file Ctrl+X then Y then enter 

8. Now you can restart SSH
/etc/rc.d/init.d/sshd restart

Now, no one will be able to login to root with out first loggin in as admin and 'su -' to root, and you will be forcing the use of a more secure protocol. Just make sure you remember both passwords! 
  • Rating


Related Articles

Comments (12)

  • Gravatar - Just Asking
    Just Asking 23:50, November 17, 2003
    This though breaks DNS sycronization in cPanel as it requires root login to sync zones files across servers.
  • Gravatar - Sam
    Sam 16:09, January 30, 2004
    Hi, try this :

    #LoginGraceTime 600
    PermitRootLogin without-password
    #StrictModes yes

    It should fix the DNS sycronization problem.
  • Gravatar - vera
    vera 12:51, February 10, 2005
    named has failed, please contact the sysadmin (result was "named is not running"). Feb 10 14:57:52 server named: named shutdown failed Feb 10 14:57:52 server named: named: user 'named' unknown Feb 10 14:57:52 server named: named startup failed
  • Gravatar - Aingaran
    Aingaran 18:03, April 11, 2005
    Can you specify more than 1 port for ssh? IE, 22 & 222?
  • Gravatar - Ravindra
    Ravindra 13:16, August 25, 2005
    please send me uttorials about linux networking
  • Gravatar - qwe010
    qwe010 22:00, May 28, 2006
    i do<br />
    <br />
    put i can't forcing the use ?<br />
    <br />
  • Gravatar - Vishal
    Vishal 20:54, July 4, 2006
    Great Thanks,<br />
    <br />
    It worked well
  • Gravatar - Remus
    Remus 04:53, August 16, 2006
    excellent, thank you.
  • Gravatar - Anthony
    Anthony 14:02, February 20, 2007
    I followed the steps. but my linx still allows direct root logins.
  • Gravatar - Jaop
    Jaop 20:21, October 23, 2007
    Excellent Ideas ! Thank you !
  • Gravatar - Clemme
    Clemme 09:26, April 4, 2008
    Thanks a lot dude, works like a charm.
  • Gravatar - Mike
    Mike 22:02, July 19, 2010
    Thanks a lot, just working like I wanted.

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2023 WebHostGear.com