How to Disable Remote Logon for Root on Ubuntu 16.04 LTS Servers

Allowing the root user to logon remotely to your server can be a dangerous thing… this is why Ubuntu gets installed with the root account unusable… It’s recommended that it stays that way to protect your servers…

Ubuntu root account isn’t disabled… it just doesn’t have a password. And without passwords, there will probably be no way for the root account to logon remotely either via SSH or other remote tools.

When you install openSSH server, the root account is allowed to logon. Again, it’s not a problem while the root account doesn’t have a password assigned… but if someone mistakenly assign a weak or temporary password to the root account, that can create a security hole on your systems.

This brief tutorial is going to show students and new users how to disable the root account from logging on remotely to your server. S0 even if the bad guys attempt to brute force their way in, they will not succeed.

To disable the root account from logging on remotely, follow the steps below:

Step 1: Disable SSH Logon for the Root User

The primary way for users to access their server remotely is via SSH. That’s because SSH allows for secure communications between the client machine and the server.

This is also the primary means of which attackers attempt to break into the system. If you want to hardened your server security, disable SSH root access. To do that, run the commands below to open openSSH configuration file.

sudo nano /etc/ssh/sshd_config

Then scroll down the file and change the line that permits root access from prohibit-password to no

PermitRootLogin no

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

Save the file and reload SSH service

sudo systemctl reload sshd.service

Step 2: Globally Disable Remote Root Logon

Alternatively, you can globally disable the root logon from remotely locations and only allow local logon via the console. To globally disable the root account from everywhere except local, open the access.conf file by running the commands below

sudo nano /etc/security/access.conf

Then add the line below into the file.

-:root:ALL EXCEPT LOCAL

Save the file and restart… and this will disable the root account from logging remotely, but allows local (console) logins.

This should do it.

Enjoy!

You may also like the post below:

How to Setup New Sudo User on Ubuntu 16.04 LTS Servers

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.