How to Disable SSH Root Login in Linux

The root account is often the most targeted account by crackers via SSH under Linux. An enabled SSH root account on a Linux server exposed to a network or, worse, exposed in Internet can pose a high degree of security concern by system administrators.

The SSH root account should be disabled in all cases in Linux in order to harden your server security. You should login via SSH on a remote server only with a normal user account and, then, change privileges to root account via sudo or su command.

In order to disable SSH root account, first log in to your server console with a normal account with root privileges by issuing the below commands.

$ su tecmint
$ sudo su -   # Drop privileges to root account

After you’ve logged in to console, open the main SSH configuration file for editing with your favorite text editor by issuing the below command. The SSH main configuration file is usually located in /etc/ssh/ directory in most of Linux distributions.

# vi /etc/ssh/sshd_config

In this file, search for the line “PermitRootLogin” and update the line to look like in the below file excerpt. On some Linux distributions, the “PermitRootLogin” line is preceded by the hashtag sign (#) meaning that the line is commented. In this case uncomment the line by removing the hashtag sign and set the line to no.

PermitRootLogin no
Disable SSH Root Login

Disable SSH Root Login

After you’ve made the above changes, save and close the file and restart the SSH daemon to apply changes by issuing one of the below commands, specific to your Linux distribution.

# systemctl restart sshd
# service sshd restart
# /etc/init.d/ssh restart

In order to test if the new configuration has been successfully applied, try to login with root account to the server via SSH from a remote system by issuing the below command.

The remote SSH login process for root account should be automatically denied by our SSH server, as illustrated in the below screenshot.

SSH Root Login Denied

SSH Root Login Denied

That’s all! You shouldn’t be able remotely login to SSH server with root account via password or via public key authentication mechanisms.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

1 Response

  1. Spike White says:

    Additioonally, you can edit the /etc/security/access.conf file.

    -:root:ALL ecept LOCAL
    

    disallows all remote logins, but allows local (console) logins.

Leave a Reply to Spike White Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.