40

a while ago I gave root a password so I could log in as root and get some stuff done. Now I want to disable root login to tighten security, since I'm going to be exposing my serve to the internet. I've seen several ways of doing this (sudo passwd -l root, fiddling with /etc/shadow, and so on), but nowhere that says what the best/most sensible way of doing it is. I've done sudo passwd -l root but I've seen advice that says this can affect init scripts, and that it's not as secure as it looks since it still asks for a password if you try to log in, rather than flat out denying access. So what would be the way to achieve that?

EDIT: to clarify, this is for local login as root; I've already disabled remote login via SSH. Though trying to log in as root over SSH still prompts for root's password (which always fails). Is that bad?

Improve this question
5
  • 2
    Disabling local access for root has almost zero security benefit. A user with physical access can pwn your box in countless ways. Commented Sep 4, 2010 at 14:45
  • 1
    Point taken. No need to log in as root if you can just take the hard drives out. I'd still like to know how to return the root account to how it was before I changed it though, if only out of curiosity now. Commented Sep 4, 2010 at 15:36
  • 1
    see the update to my answer below. I think I now understand what you're asking. Commented Sep 4, 2010 at 15:52
  • @jscott while disabling root may not provide security benefit against intrusion, but not logging in as root provides a safety switch against wrecking sys with misplaced rm command or such. Something I learned the hard way. Yes, one simply can NOT log in as root, but disabling it does makes sense from sys admin point of view. Commented Dec 12, 2017 at 15:34
  • Seems great for VPS or hosting, no brainer really. Commented Feb 8, 2019 at 2:17

7 Answers 7

Reset to default
45

It's debatable, to me, that disabling root is worth the potential issues. I have never tested a server configured in such a manner. My preference is to allow root local access only. If an attacker has physical access to your server, you can forget everything you've done to "secure" your install anyway.

Disable root ssh access by editing /etc/ssh/sshd_config to contain:

PermitRootLogin no

Fiddling with /etc/shadow, chsh -s /bin/false root all can be undone with a simple bootable CD/thumbdrive.

Update per your comment:

From help.ubuntu.com: "By default, the root account password is locked in Ubuntu". Please see the section "Re-disabling your root account" specifically. In order to reset the state of root's account, to install-default, use the following command:

sudo usermod -p '!' root
Improve this answer
4
  • No system is secure when an attacker has physical access to that system . When you can edit /etc/shadow, what stops you from editing /etc/ssh/sshd_config? Commented Sep 4, 2010 at 14:33
  • @SvenW: Exactly. That is why I debate the usefulness, security-wise, of even bothering to "disable" root. Restrict root's access, yes. Disable the account, no. Commented Sep 4, 2010 at 14:38
  • 8
    sudo service ssh restart .......after doing this. Commented Jan 13, 2016 at 10:38
  • The referenced help file now gives the following command: sudo passwd -dl root Commented Jan 4, 2018 at 7:36
31

I assume you refer to remote login via ssh. Add the following line to /etc/ssh/sshd_config:

PermitRootLogin no

and the restart the ssh service

sudo service ssh restart

That should do the job and you can keep your root account as it is (or try to disable it anyway if you feel that is necessary).

Improve this answer
1
  • 1
    Sorry, I should have said, this is for local logins. I've updated the question. Commented Sep 4, 2010 at 14:38
5

The main question has been answered several times, but the secondary has not. SSH prompts for the password after entering root after it is disabled as a security feature. It will also trigger if you try to log in as lkjfiejlksji.

This is to prevent someone from testing a pile of usernames, to try and find out which are valid on your system. However, from a security standpoint, if you've disabled root over SSH, I'd also set up a bruteforce detection program (like fail2ban), and set it so that if someone even tries to log in as root, it blocks them from trying any additional attacks.

Improve this answer
1
  • Good answer, thanks! I've got fail2ban set up already, I'll configure it to block on the first attempt at logging in as root though, good advice. Commented Sep 6, 2010 at 8:44
2

Replacing the encrypted password with a * in /etc/shadow (second field, after the first ':') is the best way, IMHO. Also, deactivate root login for ssh (this way it's simply impossible to login via ssh as root) and maybe restrict ssh to certificate logins, which is much more secure than password-based logins.

In most cases, SSH should be the only service accessible from the outside which potentially allows root login, so this door would be locked.

In order to further restrict this, you could install something like fail2ban, which bans IP addresses for a certain amount of time after a number of unsuccessful login attempts.

Improve this answer
1
  • I've a feeling '*' is the same as '!', as per the accepted answer, so I'll vote this answer up too. Commented Sep 4, 2010 at 16:00
2

JR et al,

Your AllowUsers led me to this https://help.ubuntu.com/community/SSH/OpenSSH/Configuring

sudo vi /etc/ssh/sshd_config

PermitRootLogin yes (changed to no)

(add line at bottom of file) DenyUsers user1 user2

save and exit and then

sudo service ssh restart

Solved my issue. Thanks to all.

Improve this answer
0

If you want to disable local root login, you can try to modify /etc/passwd and replace /bin/bash by /bin/false. HOWEVER, since I haven't tested it, I would say leave a root session open on the side, test it, and if there is any weird side effect, change it back.

Improve this answer
0

Re: Security.

IMHO there is only so much you can do, security wise, short of unplugging the box, disconnecting it from the network, and welding it inside a 3" thick bullet-proof carbide-steel box.

Think of it this way - if folks can hack the Department of Defense, the CIA, the FBI, and Citibank - the rest of us mere mortals can't do much better.

Re: SSH security.

I not only forbid root access via ssh, I also set the "AllowUsers" parameter to my, and only my, username. This way nobody but my own user can log in via ssh. This may be redundant as in my own case, I only create ONE non-root user anyway.

Unfortunately, as others have said many times before, as soon as someone gets physical access to the box, all bets are OFF!

Certificate exchange for ssh login? Hmmmm. . . . sounds good. How do you do it?

Jim (JR)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.