How to Disable Remote Logon for Root on Ubuntu 16.04 LTS Servers

Allowing the root user to logon remotely to your server can be a dangerous thing… this is why Ubuntu gets installed with the root account unusable… It’s recommended that it stays that way to protect your servers…
Ubuntu root account isn’t disabled… it just doesn’t have a password. And without passwords, there will probably be no way for the root account to logon remotely either via SSH or other remote tools.
When you install openSSH server, the root account is allowed to logon. Again, it’s not a problem while the root account doesn’t have a password assigned… but if someone mistakenly assign a weak or temporary password to the root account, that can create a security hole on your systems.
This brief tutorial is going to show students and new users how to disable the root account from logging on remotely to your server. S0 even if the bad guys attempt to brute force their way in, they will not succeed.
To disable the root account from logging on remotely, follow the steps below:
Step 1: Disable SSH Logon for the Root User
The primary way for users to access their server remotely is via SSH. That’s because SSH allows for secure communications between the client machine and the server.
This is also the primary means of which attackers attempt to break into the system. If you want to hardened your server security, disable SSH root access. To do that, run the commands below to open openSSH configuration file.
sudo nano /etc/ssh/sshd_config
Then scroll down the file and change the line that permits root access from prohibit-password to no
PermitRootLogin no
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
Save the file and reload SSH service
sudo systemctl reload sshd.service
Step 2: Globally Disable Remote Root Logon
Alternatively, you can globally disable the root logon from remotely locations and only allow local logon via the console. To globally disable the root account from everywhere except local, open the access.conf file by running the commands below
sudo nano /etc/security/access.conf
Then add the line below into the file.
-:root:ALL EXCEPT LOCAL
Save the file and restart… and this will disable the root account from logging remotely, but allows local (console) logins.
This should do it.
Enjoy!
You may also like the post below: