In the Linux/Unix/*BSD and their various flavours, the “root” user is the most powerful user on the whole system. If anyone gains access to this user, they can literally do anything, including wiping the whole installation with one short command.
So it’s important to protect this user as much as possible. There are a few things that you can do, including changing the standard port that SSH runs on (22), and using SSH keys to identify yourself, but these two things aren’t always suitable for all people.
One of the very first things you should do when setting up a Unix based machine that has any kind of access to the Internet is to disable the ability to log in directly as root. This will mean that people will not (or should not) be able to “brute force” their way in.
Please note: I am using the user name “admin” as an example – this will be too obvious to guess for potential “hackers”, so choose a user name that is a bit more random and/or unique to you.
1) Add an “unprivileged” user
First, we add the user – by default, it will be unprivileged, which means it won’t have any special permissions the same way root does, for example.
Adduser admin
Then we give the new user a password (one is not set by default).
passwd admin
So you should see something like:
2) Give your new user permission to change to root
You will need to “change” user to root, by default you can’t do this as an unprivileged user. You do this by adding your chosen user name to the “wheel” group. Using usermod with the “-G” switch will allow you to add your user to the “wheel” group. In the following, change “admin” to your user name.
usermod -G wheel admin
You can also do this in your favourite text editor by editing /etc/group. Find the wheel user line:
wheel:x:10:root
…so it looks like (again, change “admin” to your user name):
wheel:x:10:root,admin
If you are also logged in as your “admin” user, you will have to login again for this change to take effect.
Now test that you can change your admin user to the root user. You need to test this as you could get locked out of root otherwise. You do this by typing:
su -
If all is well, you should be asked for your root password, and you will then, if there are no error messages, be the root user. Adding the dash “-” to the su command simply changes you to the root homedir, otherwise, you stay in the same directory you are currently in.
If you now type “exit”, you will end up back as your original user.
3) Edit the SSH server’s config
As root, you now need to edit the SSH server’s config file.
In your favourite editor, open /etc/ssh/sshd_config (note the “d”, so not ssh_config – if you try editing this you will end up spending ages wondering why it doesn’t work…)
Locate the line with “PermitRootLogin”, by default it should look like this:
#PermitRootLogin yes
The hash (or pound if you’re American) means that it is “commented out” (used in this case to tell the software to “ignore this line”), we need to remove this and change “yes” to “no”.
PermitRootLogin no
4) And finally…
Before you close your current root connection, try logging in as root in a separate window – it should fail. And now try logging in (su) from your “admin” user. If all is well, you can now safely log out.
And that’s it, it’s quite simple to do really, and adds an extra layer of security.
As a side note, and while I personally prefer to “su” to root, many people recommend using “sudo” to carry out commands as another user with their permissions, such as root. More on sudo will follow in a separate article.