By default, Linux comes with a user account that has full access to everything on the computer/server/VPS, and that user always has the same name: root
. Given the ultimate power of this user's abilities over the server, hackers are always trying to brute force crack the secure shell service (SSH aka SSHD) as the root user. Username/password combinations involve two parts. When you already know the username (root), all that's left is to guess the password.
The easiest way to add security to SSH is by implementing a two part plan:
- Change the default port of SSH, away from port 22. Guide: http://www.digitalfaq.com/forum/web-...hange-ssh.html
- Disable the root user's ability to login to SSH, and create a secondary user with an uncommon or unique name. (In other words, not admin or webmaster. You should also avoid common names, like john or susan. I don't care if that is your real first name -- it's a horrible username. Pick something atpyical, like pluckyduck or secretsquirrel.) When you login with the new user, you can "su" to the root user account.
This is essentially security by obscurity -- removing common fail points, replacing them with something unique and non-obvious.
How to Disable Root Logins in Linux
Step 1: Login to SSH as root.
Most Windows users will be using Putty.
Step 2: Add a new user account.
If you're on a server/VPS that already has users added (via a control panel like DirectAdmin or cPanel, for example), then you'll want to pick a name not already in use on the server. If your new username is "goobersmooch", then you'd type this into SSH:
Optional: Some guides online suggest you verify the permission of your new user. The command will give a response.
[root@vps ~]# adduser goobersmooch
Step 3: Add the user /home directory:
[root@vps ~]# id goobersmooch
uid=510(goobersmooch) gid=510(goobersmooch) groups=510(goobersmooch)
Step 4: Give your new user a password:
[root@vps ~]# ls -lad /home/goobersmooch/
drwx------ 2 goobersmooch goobersmooch 4096 Jan 10 10:13 /home/goobersmooch/
Step 5: Test the new user.
[root@vps ~]# passwd goobersmooch
Open up a second instance of Putty (or whatever SSH client you've chosen), without closing the existing connection. Login with the new username and password. After login, you'll want to "su" to root:
[goobersmooch@vps ~]# su -
That is suspacehyphen
. Anything else will be incorrect. If typed correctly, you'll be prompted for a password. The requested user is assumed to be root, so enter your root password at this time, and it should change your prompt to root@ instead of the current goobersmooch@ in bash shell.
If it works, awesome, you're ready for the next step...
Step 6: Disable root login in sshd configuration files.
With a text editor line nano or vi, edit /etc/ssh/sshd_config. In this example, I'm using nano. Type this into the command prompt:
[goobersmooch@vps ~]# nano /etc/ssh/sshd_config
Scroll down and find this line:
Uncomment the entry (remove the #) and change it to NO.
Exit the text editor, saving your changes --- ^x (CTRL+x
) in nano (Y to confirm, then use same file name), or esc
followed by :w
(to save) followed by :q
(to quit) in vi
Step 7: Restart sshd service.
In CentOS/RHEL Linux distributions, you'll type:
[root@vps ~]# service sshd restart
or for Debian/Ubuntu, you'll type:
And that's it.
[root@vps ~]# /etc/init.d/sshd restart
You can no longer directly access root with a login.
Again, from now on, you'll need to login as the new user you've just created, and the "su -" over to root when needed. Only login as the root user when it's required. Some common SSH maintenance tasks can be managed from the normal user you've just created.
I'll cover changing the sshd service port in another post/guide.
Hope this helps.
Need a good host? .
Find one here: List of the Best Web Hosts in 2012 - Shared, reseller and VPS hosting