One of the best ways of securing your Linux box is by disabling root logins. The “root” user is the most powerful user in Linux and it has all rights and permissions in Linux. It is a special user account and should only be used for administration purposes. Thus, if a user gets access to the root account on your computers, you might as well bid goodbye to any or all information available on your computer. There are multiple ways in which a root user can log-in, and therefore, multiple doors to lock. Let’s take a look at them. It is assumed in this guide that you have permissions to alter certain system configuration files. This is possible by using the sudo command or by being logged in as root.
Disabling Local Root Logins
This method will block root logins locally on the computer. Examples of these are when your Linux distribution boots up and asks you for a username and a password. It is relevant for command-line logins and GUI logins like those found in Gnome, KDE and X.
The /etc/securetty file defines the local terminals (Alt+Shift+<number from 1-6>) on the computer which are considered secure and can be allowed to have a root login. Simply having a blank securetty file ensures that all local terminals are considered insecure and will not allow anyone to login using the root account.
echo > /etc/securetty
This command will overwrite the contents of /etc/securetty with a blank file. Make sure to store a backup of the original file if you ever think you might need it.
Disabling Remote Root Logins
This method will disable root logins from remote connections to this computer. Remote connections are initiated using the telnet or ssh protocol and allow a remote user to control your computer in the same way that a local user would. Disabling remote ssh logins is a very smart thing to do since a lot of Linux users are attacked by hackers who try to brute-force root passwords using ssh.
To disable root logins through ssh, edit the file /etc/ssh/sshd_config. Refer to your distribution’s documentation in case the location of the file is different in your distribution. In this file, change the line that says “PermitRootLogin yes” to “PermitRootLogin no". If there is a # at the start of the line, remove it. Now save the file.
This hole might already be plugged in your specific distribution by default, but it doesn’t hurt to check. Once the file has been modified and saved, you must restart the ssh daemon to use the new configuration. To do so, type "/etc/init.d/ssdh restart” to make it use the new configuration file.
Sudo and Su
Once you’ve secured the root logins, you can still perform administrative or important tasks using the sudo or su command. These commands execute your command using the privileges of the root account. The sudo command lets you execute administrative commands even if you don’t know the password of the root account. The su command lets you use administrative accounts, provided that your user is part of the group “wheel”.
The usage of the sudo command is as follows:
sudo any_command /home/test.xyz
This will run the any_command using privileges granted to the root user. any_command will then act as it’s being run by the root user. The su command will ask you for the root password, and on entering it, you will get a shell with the root login. This is much more dangerous and therefore, not advised.
Disabling root logins is one of the first steps towards a very secure Linux system. This protection will stop a big percentage of people from being able to “root” your box. And with commands like sudo and su, your normal users do not lose any of their privileges. Instead, a layer of security is added which can then be modified by changing the /etc/sudoers file or adding the specific user to the wheel group.