Limit SSH Root Access in Linux

One of the biggest security holes you could open on your server is to allow directly logging in as root through ssh, because any cracker can attempt to brute force your root password and potentially get access to your system if they can figure out your password.

It’s much better to have a separate account that you regularly use and simply sudo to root when necessary. Before we begin, you should make sure that you have a regular user account and that you can su or sudo to root from it.

To fix this problem, we’ll need to edit the sshd_config file, which is the main configuration file for the sshd service. The location will sometimes be different, but it’s usually in /etc/ssh/. Open the file up while logged on as root.

Disable SSH Root Login

SSH server settings are stored in the /etc/ssh/sshd_config file. To disable root logins, make sure you have the following entry:

# nano /etc/ssh/sshd_config

Search for the following line in the file.

#PermitRootLogin no

Remove the ‘#‘ from the beginning of the line.

PermitRootLogin no

Restart SSH service:

# service sshd restart

Try to login with root user (you see the error message “Access Denied”).

Now, log in as a normal user and then use the command “su” to switch to root user

Enable SSH Root Login

To enable ssh root logging edit /etc/ssh/sshd_config file.

# nano /etc/ssh/sshd_config

Search for the following line and put the ‘#‘ at the beginning and save.

# PermitRootLogin no

Restart the sshd service:

# service sshd restart

Try to login with root user.

Limit SSH User Logins

SSH logins can be limited to only certain users who need remote access. If you have many user accounts on the system then it makes sense to limit remote access to only those that really need it thus limiting the impact of a casual user having a weak password. Add an AllowUsers line followed by a space separated list of usernames to/etc/ssh/sshd_config. For example:

# nano /etc/ssh/sshd_config
AllowUsers lintut gandalf

and restart the sshd service:

# service sshd restart

Read also: Install and configure OpenSSH on RHEL/Centos, Fedora, Debian, Ubuntu linux

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button