{"id":12410,"date":"2019-03-26T23:10:56","date_gmt":"2019-03-26T23:10:56","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=12410"},"modified":"2019-03-26T23:10:56","modified_gmt":"2019-03-26T23:10:56","slug":"4-ways-to-disable-root-account-in-linux","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/26\/4-ways-to-disable-root-account-in-linux\/","title":{"rendered":"4 Ways to Disable Root Account in Linux"},"content":{"rendered":"

The\u00a0root<\/strong>\u00a0account is the ultimate account on a Linux and other Unix-like operating systems. This account has access to all commands and files on a system with full read, write and execute permissions. It is used to perform any kind of task on a system; to\u00a0create\/update\/access\/delete other users\u2019 accounts<\/a>,\u00a0install\/remove\/upgrade software packages<\/a>, and so much more.<\/p>\n

Because the\u00a0root<\/strong>\u00a0user has absolute powers, any actions he\/she performs are critical on a system. In this regard, any errors by the\u00a0root<\/strong>\u00a0user may have huge implications on the normal operation of a system. In addition, this account may also be abused by using it improperly or inappropriately either accidentally, maliciously, or through contrived ignorance of policies.<\/p>\n

Therefore, it is advisable to disable the root access in your Linux server, instead, create an administrative account which should be configured to gain root user privileges using the\u00a0sudo command<\/a>, to perform critical tasks on the server.<\/p>\n

In this article, we will explain four ways to disable root user account login in Linux.<\/p>\n

Attention<\/strong>: Before you block access to the\u00a0root<\/strong>\u00a0account, make sure you have created an administrative account, capable of using\u00a0sudo command<\/a>\u00a0to gain root user privileges, with the\u00a0useradd command<\/a>\u00a0and give this user account a strong password. The flag\u00a0-m<\/code>\u00a0means create user\u2019s home directory and\u00a0-c<\/code>\u00a0allows to specify a comment:<\/p>\n

# useradd -m -c \"Admin User\" admin\r\n# passwd admin\r\n<\/pre>\n
Next, add this user to the appropriate group of system administrators using the\u00a0usermod command<\/a>, where the switch\u00a0-a<\/code>\u00a0means append user account and\u00a0-G<\/code>\u00a0specifies a group to add the user in (wheel or sudo depending on your Linux distribution):<\/p>\n
# usermod -aG wheel admin    #CentOS\/RHEL\r\n# usermod -aG sudo admin     #Debian\/Ubuntu \r\n<\/pre>\n
Once you have created a user with administrative privileges, switch to that account in order to block root access.<\/p>\n
# su admin\r\n<\/pre>\n
1. Change root User\u2019s Shell<\/h3>\n
The simplest method to disable root user login is to change its shell from\u00a0\/bin\/bash<\/code>\u00a0or\u00a0\/bin\/bash<\/code>\u00a0(or any other shell that permits user login) to\u00a0\/sbin\/nologin<\/code>, in the\u00a0\/etc\/passwd<\/strong>\u00a0file, which you can open for editing using any of your favorite command line editors as shown.<\/p>\n
  \r\n$ sudo vim \/etc\/passwd\r\n<\/pre>\n
Change the line:<\/p>\n
root:x:0:0:root:\/root:\/bin\/bash\r\nto\r\nroot:x:0:0:root:\/root:\/sbin\/nologin<\/strong>\r\n<\/pre>\n
\n
\"Change<\/a><\/p>\n
Change root User Shell<\/p>\n<\/div>\n
Save the file and close it.<\/p>\n
From now on, when\u00a0root<\/strong>\u00a0user logs in, he\/she will get the message \u201cThis account is currently not available.<\/strong>\u201d This is the default message, but, you can change it and set a custom message in the the file\u00a0\/etc\/nologin.txt<\/strong>.<\/p>\n
This method is only effective with programs that require a shell for user login, otherwise,\u00a0sudo<\/strong>,\u00a0ftp<\/strong>\u00a0and\u00a0email<\/strong>clients can access the root account.<\/p>\n
2. Disable root Login via Console Device (TTY)<\/h3>\n
The second method uses a\u00a0PAM<\/strong>\u00a0module called\u00a0pam_securetty<\/strong>, which permits root access only if the user is logging in on a \u201csecure\u201d TTY<\/strong>, as defined by the listing in\u00a0\/etc\/securetty<\/strong>.<\/p>\n
The above file allows you to specify which\u00a0TTY<\/strong>\u00a0devices the root user is allowed to login on, emptying this file prevents root login on any devices attached to the computer system.<\/p>\n
To create an empty file, run.<\/p>\n
$ sudo mv \/etc\/securetty \/etc\/securetty.orig\r\n$ sudo touch \/etc\/securetty\r\n$ sudo chmod 600 \/etc\/securetty\r\n<\/pre>\n
This method has some limitations, it only affects programs such as login, display managers (i.e\u00a0gdm<\/strong>,\u00a0kdm<\/strong>\u00a0and\u00a0xdm<\/strong>) and other network services that launch a TTY. Programs such as su, sudo, ssh, and other related openssh tools will have access to the root account.<\/p>\n
3. Disabl SSH Root Login<\/h3>\n
The commonest way of accessing remote servers or VPSs is via SSH and to block root user login under it, you need to edit the\u00a0\/etc\/ssh\/sshd_config<\/strong>\u00a0file.<\/p>\n
$ sudo vim \/etc\/ssh\/sshd_config\r\n<\/pre>\n
Then uncomment (if it is commented) the directive\u00a0PermitRootLogin<\/strong>\u00a0and set its value to\u00a0no<\/code>\u00a0as shown in the screenshot.<\/p>\n
\n
\"Disable<\/a><\/p>\n
Disable Root Login in SSh<\/p>\n<\/div>\n
Once you are done, save and close the file. Then restart the\u00a0sshd<\/strong>\u00a0service to apply the recent change in configurations.<\/p>\n
$ sudo systemctl restart sshd \r\nOR\r\n$ sudo service sshd restart \r\n<\/pre>\n
As you may already know, this method only affects openssh tools set, programs such as ssh, scp, sftp will be blocked from accessing the root account.<\/p>\n
4. Restrict root Acess to Services Via PAM<\/h3>\n
Pluggable Authentication Modules<\/strong>\u00a0(PAM<\/strong>\u00a0in short) is a centralized, pluggable, modular, and flexible method of authentication on Linux systems. PAM, through the\u00a0\/lib\/security\/pam_listfile.so<\/strong>\u00a0module, allows great flexibility in limiting the privileges of specific accounts.<\/p>\n
The above module can be used to reference a list of users who are not allowed to log in via some target services such as login, ssh and any PAM aware programs.<\/p>\n
In this case, we want to disable root user access to a system, by restricting access to login and sshd services. First open and edit the file for the target service in the\u00a0\/etc\/pam.d\/<\/strong>\u00a0directory as shown.<\/p>\n
$ sudo vim \/etc\/pam.d\/login\r\nOR\r\nsudo vim \/etc\/pam.d\/sshd\r\n<\/pre>\n
Next, add the configuration below in both files.<\/p>\n
auth    required       pam_listfile.so \\\r\n        onerr=succeed  item=user  sense=deny  file=\/etc\/ssh\/deniedusers\r\n<\/pre>\n
When you are done, save and close each file. Then create the plain file\u00a0\/etc\/ssh\/deniedusers<\/strong>\u00a0which should contain one item per line and not world readable.<\/p>\n
Add the name root in it, then save and close it.<\/p>\n
$ sudo vim \/etc\/ssh\/deniedusers\r\n<\/pre>\n
Also set the required permissions on this.<\/p>\n
$ sudo chmod 600 \/etc\/ssh\/deniedusers\r\n<\/pre>\n
This method only affect programs and services that are PAM aware. You can block root access to the system via ftp and email clients and more.<\/p>\n
For more information, consult the relevant man pages.<\/p>\n
$ man pam_securetty\r\n$ man sshd_config\r\n$ man pam\r\n<\/pre>\n
That\u2019s all! In this article, we have explained four ways of disabling the root user login (or account) in Linux. Do you have any comments, suggestions or questions, feel free to reach us via the feedback form below.<\/p>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
The\u00a0root\u00a0account is the ultimate account on a Linux and other Unix-like operating systems. This account has access to all commands and files on a system with full read, write and execute permissions. It is used to perform any kind of task on a system; to\u00a0create\/update\/access\/delete other users\u2019 accounts,\u00a0install\/remove\/upgrade software packages, and so much more. Because … <\/p>\n
Continue reading “4 Ways to Disable Root Account in Linux”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-12410","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12410","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=12410"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12410\/revisions"}],"predecessor-version":[{"id":12411,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12410\/revisions\/12411"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=12410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=12410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=12410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}