Another security measure you can take to lock down a Linux server is to disable the root user login in the SSH server.
Note that there are two config files in the /etc/ssh/ directory, ssh_conf and sshd_conf. ssh_conf pertains to outbound SSH sessions (example: you are already connected to your server and you SSH into another server) while sshd_conf controls how inbound SSH sessions are handled by the server itself.
Remember, backing up any important system file before you modify it is always a good idea!
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
When connected to the server as root use your favorite text editor to open the sshd configuration file (/etc/ssh/sshd_config). For this tutorial we will use vim.
With the file open, find the line labeled PermitRootLogin. It will most likely be commented out using the # symbol. Example:
We will need to remove the # symbol to make the line active, and then change “yes” to “no”.
Example of the end result:
While we have disabled directly using SSH to log in to the server as root, this of course does not mean that you want to disable root-level functions entirely. This step will show you how to create a new user just for SSH purposes, and how to allow that user to switch to root once they are logged in.
If you already have a user account on the server that you would like to use for this purpose you can skip ahead to the instructions for adding a user to the wheel group.
Adding the User
We will use the commands adduser and passwd to create a new user account and assign it a password. You are welcome to name this new account anything you want, but for this example we will call it lwsupport.
When you run the passwd command with the user name it will ask you to type in the new password twice for verification.
Adding the User to the Wheel Group
Important note: Be sure to back up the group file before making changes!
Open the /etc/group file in your favorite editor. Find the line called “Wheel” and add your new user account to the existing line (be sure to follow the existing format of other lines, and add a comma where necessary).
Save your changes and close the file.
Now we will need to restart SSH to apply the new settings with the following command:
service sshd restart
Root logins are now disabled in the SSH server.
Logout of your root SSH session to the server and login as your new user instead. Once you are logged in as the new user simply run the command su – and you will prompted for the server’s root password. Be sure to use a – after the su command so that your path settings to various programs are correct.
Now that your server no longer allows the root user to log in over SSH our support staff will need to know the new login details. If we do not have the new login details on file our monitoring team will not be able to proactively fix problems on your server.