Root user is the superuser in Linux that has the access and privilege to run all commands, programs and processes. It has full read, write and execute permissions. In fact, it can even create/modify/delete other user accounts. Since root user has so many privileges any wrong command or action done by root user can seriously damage your system. Also, if it gets hacked or abused then the attacker can control your entire system and use it against you. So it is advisable to disable root access to your system, and create administrative user accounts that can temporarily get root access to run privileged commands, using sudo command. In this article, we will learn 3 ways to disable root access in Linux.
How to Disable Root Login in Linux
Before you block root account, you need to create an administrative account that has sudo access to get root privileges. You can do so using useradd command with -m flag, and give this user a strong password. Here is the command to create admin user and assign its password.
# useradd -m -c "Admin User" admin # passwd admin
The first command above only creates a new user, while the second command sets its password. When you run the second command, you will be prompted for the password that you want to set for the new user.
Next, we use usermod command to add this new user to group of administrative users. We use -a flag to append this user and -G flag to specify the group where you want to add this user.
# usermod -aG wheel admin #CentOS/RHEL # usermod -aG sudo admin #Debian/Ubuntu
The first command above adds the new user to wheel user group which is the administrative group in CentOS/RHEL. The second command will add the new user to sudo user group, which is the administrative user group in Debian/Ubuntu.
Once you have created a new administrative user, switch to that account to disable root account.
# su admin
1. Change root user’s shell
Every Linux user has a default shell to which they login while accessing their system. If you set it to /sbin/nologin then they will not be able to login to their account. So we basically change root user’s shell from /bin/bash to /sbin/nologin in the /etc/passwd file. Open it in a text editor.
$ sudo vim /etc/passwd
Change the following line as shown below.
root:x:0:0:root:/root:/bin/bash to root:x:0:0:root:/root:/sbin/nologin
Save and close the file.
Once you do this, whenever anyone tries to login as root, they will see the following message.
“This account is currently not available.”
This is the default message but you can change it by editing /etc/nologin.txt file. Please note, this method will only stop users from using shell as root user, or run programs that require shell access.
2. Disable SSH Root Login
In this method, we simply disable SSH access to root account. SSH is the most common way for developers and attackers to login to Linux systems. If you disable SSH access to root account, then it prevents many people from accessing root account.
Open SSH config file on your server, with the following command.
$ sudo vim /etc/ssh/sshd_config
Uncomment the directive PermitRootLogin and set it to no.
... PermitRootLogin no ...
Save and close the file. Restart SSH server to apply changes.
$ sudo systemctl restart sshd OR $ sudo service sshd restart
This will block all applications that use OpenSSH such as SSH, SCP, SFTP from accessing root account. Other applications will be able to use root account.
3. Disable Root Login via TTY
In this method, we use a PAM module called pam_securetty, which permits root access only if the user is logging in via secure TTY, as defined in /etc/securetty.
This file lists the TTY devices the root user can login on. If you create an empty file, it prevents root access from any device on your network. Here are the commands to create empty file.
$ sudo mv /etc/securetty /etc/securetty.orig $ sudo touch /etc/securetty $ sudo chmod 600 /etc/securetty
Please note, this affects only programs such as login, display managers and network services that require TTY to launch. However, commands like su, sudo, ssh can still access root account.
In this article, we have learnt how to disable root login in Linux. Please note, you will need to use a combination of above methods to be able to completely block root access.
Also read:
How to Disable su Access to Sudo in Linux
How to Install Printer in Ubuntu Through Terminal
How to Unlock User Account in MySQL
How to Lock User Account in MySQL
How to Create Cartesian Product of Python Lists