Security

How to prevent root login on your Linux servers

If you're overly paranoid about security (which you should be), you might want to consider blocking root logins on your Linux servers. Here's how to do it.

sechero.jpg
Image: Jack Wallen

Security. Need I say more? In a single word, every IT administrator understands just how critical their jobs have been, are, and will become. Each one of those admins knows it is in their best interest to do everything they can to lock down their data—even the smallest things can go a long way to prevent security breaches.

One such thing you can do is prevent the root user from logging into your Linux machines.

Wait a minute. You may be asking yourself, "But if I prevent the root user from logging in, how to do I run admin tasks?" Simple. You add a specific user to the administrator group (which group this is will depend upon your distribution), such that the user can use sudo and do everything they need.

How this is done will depend upon your distribution. If you're using Ubuntu, you already know that the root user is disabled by default; you cannot log into your Ubuntu server (or desktop) as the root user. You can, however, log in as a regular user and then (so long as the regular user is either in the /etc/sudoers file or a member of the admin group) issue the command sudo -s to gain access to the root user.

But how do you manage that on the likes of Fedora Server? Let me show you.

Adding a user to the correct group

Before you go about disabling root login, you will want to first add a user to the administrator group. To do this, log into the server as the root user and issue the following command:

usermod -a -G wheel USERNAME

Where USERNAME is the name of the user to be added. Once you've done that, logout as root, login as the user you just modified, and issue the command sudo -s. If you are given root access, you're ready to move on. Remain logged in as that user, as is.

Disabling root login

We are going to modify the file /etc/passwd. Before we do that, we'll make a backup with the command cp /etc/passwd /etc/passwd.bak. Once you've done that, open the original file with the command nano /etc/passwd. In the top line, change:

root:x:0:0:root:/root:/bin/bash

to:

root:x:0:0:root:/root:/sbin/nologin

Save and close that file. Before you log out of that server, let's test it by secure shelling in from another server. Issue the command:

ssh root@SERVER_IP

Where SERVER_IP is the IP address of the Fedora Server machine.

You should be denied access to the server (Figure A).

Figure A

Figure A

Denied!

Attempt to secure shell into the same server, using the account you added to the wheel group. You should be allowed access. Once you've done that, issue the command sudo -s to find yourself at the root prompt.

Finally, log out of the actual server and attempt to log back in as the root user. You will not be able to gain access, via the root login. Login as the user in the wheel group and you should be good to go.

That's all there is to denying root login to your Fedora Server. It's not a be-all, end-all security measure, but every little step towards security (no matter how small) counts.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox