You can configure your SSH server to not allow root user to log in via SSH. This could improve security in a few ways such as by minimising brute-force login by bots which would try to log in as the user root because root user should exist in all Unix-based systems.

In most SSH implementation nowadays, root is are not allowed to log in via username and password combination, but instead need to use other method such as public key. This could negate the bot brute force issue, but still doesn't provide traceability in a multi-user systems where many users could be logging in using the root user and would make tracing back changes to a specific user system hard.

The better option is to create a user on the server for each person needing access, configure sudo access to the user if necessary, and then to disable SSH login for the root user.

If an SSH server is configured to block root login you'll get a Permission denied, please try again error when logging in even if you keyed in the correct password. 

$ ssh [email protected]
The authenticity of host 'example.com (192.168.111.146)' can't be established.
ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'example.com,192.168.111.146' (ECDSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.

Steps to block or deny root login in SSH:

  1. Add normal user to the system (optional, if you don't already have one).
  2. Configure root access to the normal user via sudo (optional, if required).
  3. Launch your preferred terminal application.
  4. Open sshd configuration file using favourite text editor. 
    $ sudo vi /etc/ssh/sshd_config
[sudo] password for user:
  5. Search for PermitRootLogin and set the option to no. 
    PermitRootLogin no

    Add the line if it doesn't already exist and remove the # at the beginning of the line if exists.

    PermitRootLogin
    Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password.

  6. Reload or restart SSH server service. 
    $ sudo systemctl restart sshd

    How to start, restart and stop SSH service

Guide compatibility:

Operating System
Ubuntu Linux
Debian Linux
Red Hat Enterprise Linux
Fedora Linux
CentOS Linux
openSUSE Linux
SUSE Linux Enterprise Server
FreeBSD
OpenBSD
NetBSD
macOS
Discuss the article:

Comment anonymously. Login not required.

author: shakir
Share!