One of the first things to do when setting up a new server is to protect it against brute force attacks. Say you’ve just received the credentials for a dedicated or cloud server, and have logged in for the first time. What steps do you take to secure it? In this series, we’ll look at a checklist to secure Linux servers that you can follow one after the other. Starting with how to disable root login.
If you think your server won’t be brute forced, you haven’t seen the security logs generated by even a low traffic server. You’re going to have literally thousands of hits every day, trying to guess your username and password. And since every server spawns with a root user, half of the combination is already known, making the job of the hacker much easier. So the first thing we need to do is to remove this vector and prevent a user from logging in as root. This doesn’t mean you can’t perform root actions. It just means that login is blocked. Here’s how.
Step 1: Adding a new User
Let’s say you’ve just logged in for the first time as root:
The first step is to now add a new user to replace root – not necessarily with the same permissions though. To do this, type in the following command:
Replace [username] with the name of your choosing. In this example, my username is “notroot”:
As shown above, immediately after, set a password by typing in:
This will prompt you for the password for the new user. Once you’ve typed and retyped the password, the user is created. We’re now ready to disable root login.
Step 2: Disable Root Login
The setting controlling root login is located in a file called “sshd_config” located in the “/etc/ssh/”. While you can user any text editor of your choosing, the most ubiquitous is called “vim”. If you don’t know how to use it, now’s a good time to do so. It’s worth the time investment. For now, type the following into the console:
This will open up the file in the Vim editor. You can’t accidentally change anything because it’s in “command” mode. We need to search for the line #PermitRootLogin. To do this, type the following keys into vim.
The first character “/” puts the editor in search mode, and “\#” escapes the hashtag (#) symbol, so this should find the line we’re looking for immediately. Once you’re there, put the editor into “insert” mode by pressing:
Now you can move the cursor around like in a normal text editor. Simply delete the “#” character to uncomment it. Now the entire line should read:
Now we just save our changes. Put the editor back into “command” mode by pressing the escape key. Then type:
And hit “Enter”. Vim will quit, and your changes will be saved. You’ll be kicked back to the terminal. The final step is to restart the sshd service. Type this into the command prompt:
systemctl restart sshd
This reloads the configuration from the sshd_config file. To see if our changes have worked, exit the terminal and try and login again as root. It should give you an “Access Denied” message:
Step 3: Perform Root Actions Using our First Username
Now we login as the first user we created using “adduser” instead:
But this isn’t a substitute for root of course. It doesn’t have the requisite permissions. But don’t worry. To get root access after login, type in the following command:
su - root
This will prompt you for the root password and when you type it in, your user will have root access. So you can see that while you can’t log in as root, you don’t have to give up any of the power of the root account.
And that completes the first step of securing a Linux server by disabling root login!
Is your website slow?
Enter its URL below to find out now: