Share!

You can configure your SSH server to not allow root user to log in via SSH. This could improve security in a few ways such as by minimising brute-force login by bots which would try to log in as the user root because root user should exist in all Unix-based systems.

PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password.

In most SSH implementation nowadays, root is are not allowed to log in via username and password combination, but instead need to use other method such as public key. This could negate the bot brute force issue, but still doesn't provide traceability in a multi-user systems where many users could be logging in using the root user and would make tracing back changes to a specific user system hard.

The better option is to create a user on the server for each person needing access, configure sudo access to the user if necessary, and then to disable SSH login for the root user.

Disable root login in SSH:

  1. Add normal user to the system (optional, if you don't already have one).
  2. Configure root access to the normal user via sudo (optional, if required).
  3. Launch your preferred terminal application.
  4. Open sshd configuration file using favourite text editor.
    $ sudo vi /etc/ssh/sshd_config
    [sudo] password for user:
  5. Search for PermitRootLogin and set the option to no.
    PermitRootLogin no

    Add the line if it doesn't already exist and remove the # at the beginning of the line if exists.

  6. Reload or restart SSH server service.
    $ sudo systemctl restart sshd

Guide compatibility:

Operating System
Ubuntu Linux
Debian Linux
Red Hat Enterprise Linux
Fedora Linux
CentOS Linux
openSUSE Linux
SUSE Linux Enterprise Server
FreeBSD
OpenBSD
NetBSD
macOS