How do I disable root login in Ubuntu?

Solution 1:

It's debatable, to me, that disabling root is worth the potential issues. I have never tested a server configured in such a manner. My preference is to allow root local access only. If an attacker has physical access to your server, you can forget everything you've done to "secure" your install anyway.

Disable root ssh access by editing /etc/ssh/sshd_config to contain:

PermitRootLogin no

Fiddling with /etc/shadow, chsh -s /bin/false root all can be undone with a simple bootable CD/thumbdrive.

Update per your comment:

From help.ubuntu.com: "By default, the root account password is locked in Ubuntu". Please see the section "Re-disabling your root account" specifically. In order to reset the state of root's account, to install-default, use the following command:

sudo usermod -p '!' root

Solution 2:

I assume you refer to remote login via ssh. Add the following line to /etc/ssh/sshd_config:

PermitRootLogin no

and the restart the ssh service

sudo service ssh restart

That should do the job and you can keep your root account as it is (or try to disable it anyway if you feel that is necessary).


Solution 3:

The main question has been answered several times, but the secondary has not. SSH prompts for the password after entering root after it is disabled as a security feature. It will also trigger if you try to log in as lkjfiejlksji.

This is to prevent someone from testing a pile of usernames, to try and find out which are valid on your system. However, from a security standpoint, if you've disabled root over SSH, I'd also set up a bruteforce detection program (like fail2ban), and set it so that if someone even tries to log in as root, it blocks them from trying any additional attacks.


Solution 4:

Replacing the encrypted password with a * in /etc/shadow (second field, after the first ':') is the best way, IMHO. Also, deactivate root login for ssh (this way it's simply impossible to login via ssh as root) and maybe restrict ssh to certificate logins, which is much more secure than password-based logins.

In most cases, SSH should be the only service accessible from the outside which potentially allows root login, so this door would be locked.

In order to further restrict this, you could install something like fail2ban, which bans IP addresses for a certain amount of time after a number of unsuccessful login attempts.

Tags:

Login

Root