Create a Super User & Disable SSH root login
Published 22-03-2015
Over the years I have had clients who have asked me to perform some action, either for their website or for their server. Normally these have been to help installing scripts etc. In order to do most of these actions I have required root access via SSH to their server.
I have come across an alarming amount of users who still have root login enabled on their server. This is possibly one of the biggest security holes your server can have. When you login as root, the username root is always the same for every server, all a hacker has to do is guess your password. A brute force attack will keep guessing your password over and over again until it gains access.
There are other options which can limit the amount of failed logins before your server then puts that IP address on a permanent block but I won’t cover that here. You can also change your servers SSH port and perform a little security through obscurity.
It’s much safer to have a separate account that can login to your server and then when required you can su (su allows you to switch between users) to the root user.
I have come across so many articles on the internet now which describe how exactly to disable root access, which are all correct, but the one thing they forget to say before you restart the server is that you need to create the super user (also known as wheel user) first. It’s no good disabling the root login and restating the server if you haven’t created a way back in. You are then locked out of the server yourself.
The first step we need to do is create the super user so you can actually log back in to your server once we have disabled the root login.
In this example I will be creating a user called bobby46 you will need to change any instance of this name to your super username.
I prefer to use putty as my SSH client, so we now need to open our SSH client and login to the server as the root user.
Once you are logged in as root you will need to issue the following two commands.
adduser bobby46
passwd bobby46
The system will now ask you for a password and then to confirm the password. This will be the password for the super user bobby46 that he can login to the server with. Make this a good secure password.
We now need to add the user bobby46 to the wheel group. To do this we need to edit a file. Issue the following command to open the file in the text editor.
vi /etc/group
Once the file has opened you need to scroll down the page until you find the following line wheel:x:10: or sometimes displayed as wheel:x:10:root once you have found this line you need to change it so it reads as follows.
wheel:x:bobby46
In order to edit any of the text you will need to press i on your keyboard. This allows you to enter the insert mode. Once you have edited you file press the escape key on your keyboard which exits the insert mode. We now need to save and exit the file. Press the : on your keyboard followed by wq and then press the return key.
You have now added the username bobby46 to the your server and allowed him permissions to login to the system.
We now need to disable the root login. To do this we have to edit one more file. Issue the following command and the command line prompt.
vi /etc/ssh/sshd_config
You need to scroll down the file until you find the following line. #PermitRootLogin yes when you have found this line you will notice the hash tag at the start of the line. The hash tag means that this line is not being read by the server so in order for this line to take effect we need to remove the hash tag symbol. The line should now look like the example below.
PermitRootLogin no
In order to edit any of the text you will need to press i on your keyboard again. This allows you to enter the insert mode. Once you have edited you file press the escape key on your keyboard which exits the insert mode. We now need to save and exit the file. Press the : on your keyboard followed by wq and then press the return key.
Once you have edited the line and saved you file we need to restart SSHD so the new effects are active. To restart SSHD issue the following command.
service sshd restart
If all the above steps have been followed you should now have an active working super user who can login to the server and root login via SSH has been disabled. Taking this for granted however is never good so we need to perform a quick check to make sure that everything’s ok and you can still login to your server.
DO NOT CLOSE OFF YOUR OPEN SSH CONNECTION YET
Open a new SSH connection via you SSH client, in my case putty. For the login details you should enter the super user, in my case bobby46 and the password you created for that user.
If all is well you should now be logged into your server as the super user. A lot of actions on the server need to be performed as the root user so we need to check that we can switch to the root user. Issue the following command.
su root
You will now be prompted for the root password. Enter your root password and press the enter key. We can check that we are now acting as the root user by issuing the following command, this command asks the server who am I?
whoami
The server will now tell you under which user you are acting as. In order to return to the super user you can type exit followed by the enter key. This will exit the as the root user and return you to the super user. Typing exit again followed by the enter key will exit you as the super user and close of your SSH connection.
Try logging back in via SSH as the root user. You will now see that that your login is denied.