You can configure your
SSH server to not allow
root user to log in via
SSH. This could improve security in a few ways such as by minimising brute-force login by bots which would try to log in as the user
root user should exist in all
SSH implementation nowadays,
root is are not allowed to log in via username and password combination, but instead need to use other method such as public key. This could negate the bot brute force issue, but still doesn't provide traceability in a multi-user systems where many users could be logging in using the
root user and would make tracing back changes to a specific user system hard.
The better option is to create a user on the server for each person needing access, configure
sudo access to the user if necessary, and then to disable
SSH login for the
SSH server is configured to block
root login you'll get a
Permission denied, please try again error when logging in even if you keyed in the correct password.
$ ssh [email protected] The authenticity of host 'example.com (192.168.111.146)' can't be established. ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'example.com,192.168.111.146' (ECDSA) to the list of known hosts. [email protected]'s password: Permission denied, please try again.
Steps to block or deny root login in SSH:
rootaccess to the normal user via
sudo(optional, if required).
sshdconfiguration file using favourite text editor.
$ sudo vi /etc/ssh/sshd_config [sudo] password for user:
PermitRootLoginand set the option to
Add the line if it doesn't already exist and remove the
# at the beginning of the line if exists.
Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password.
$ sudo systemctl restart sshd
|Red Hat Enterprise Linux|
|SUSE Linux Enterprise Server|
Comment anonymously. Login not required.