- Created in a variety of cloud host, cloud service providers are given the root user, which is very convenient, but there are some times will cause some problems, after the future start services on the server, only users with root privileges to change access these services, it will cause some unnecessary trouble, but not safe. For security reasons, as well as multi-user management server in the future, it should be on the server's root user is disabled at the outset, to perform some root to execute commands using only the sudo command.
- Tools prep: Linux cloud hosting, SSH tools
- Create a user with sudo privileges
- Note : In the stop to root before accessing your account, make sure to use the useradd command to create a managed account, which can use the sudo command to obtain root privileges, and provide a strong password for the user account. Flag
-mrepresents the creation of a user's home directory,-cindicates a comment:1 # useradd -m -c "Admin User" admin 2 # passwd admin
- Next, use the usermod command to add the user to the appropriate system administrators group, which switches
-aindicates additional user accounts,-Gspecify the group to add users for the (wheel or sudo, depending on your Linux distribution):1 # usermod -aG wheel admin #CentOS/RHEL 2 # usermod -aG sudo admin #Debian/Ubuntu
- After you create a user with administrative privileges, switch to the root account to prevent access.
1 # have admin
- Note : In the stop to root before accessing your account, make sure to use the useradd command to create a managed account, which can use the sudo command to obtain root privileges, and provide a strong password for the user account. Flag
- Change the root user's Shell
- The easiest way to disable the root user login is to its shell from
/bin/bashor/bin/bash(or allow users to log in any other shell) changes to / etc / passwd file /sbin/nologin, you can use any command you like line editors open for editing, as the picture shows.1 $ sudo vim /etc/passwd
Edit Saved
1 root:x:0:0:root:/root:/bin/bash 2 to 3 root:x:0:0:root:/root:/sbin/nologin
Save the file and close it.
From now on, when root when the user logs in, he / she will receive the message " This account is currently unavailable. " This is the default message, however, you can change it in the file /etc/nologin.txt in setting custom message . This method only requires a program for user login shell effective, otherwise, sudo , the FTP and email clients can access the root account.
- The easiest way to disable the root user login is to its shell from
- Disable root login by console device (TTY)
-
The second method uses named pam_securetty the PAM module only when the user logs on " security" TTY only allows root access, such as / etc / securetty in the list defined.
These documents allows you to specify allow root user login TTY equipment, empty the file prevents root login performed on any device connected to the computer system.
To create an empty file, run.
1 $ sudo mv /etc/securetty /etc/securetty.orig 2 $ sudo touch /etc/securetty 3 $ sudo chmod 600 /etc/securetty
This approach has some limitations, it only affects the login display manager (ie GDM , KDM and xdm ) and other programs, and other network services start of TTY. Such as su, sudo, ssh openssh and other related tools such programs will have access to the root account.
-
- Disabling SSH root login
- Remote access server or VPS The most common way is through SSH and prevent it from root user to log in, you need to edit / etc / ssh / sshd_config file.
1 $ sudo vim /etc/ssh/sshd_config
Note then cancel (if it is annotated) instructions PermitRootLogin and set its value
no, as shown in the screenshot. 
-
Log in SSh the disabled Root
When finished, save and close the file. Then restart sshd service to apply the most recent configuration changes.
1 $ sudo systemctl restart sshd 2 OR 3 $ sudo service sshd restart
You may already know, this method only affects toolset openssh, ssh, scp, sftp and other procedures will be blocked from accessing the root account.
- Remote access server or VPS The most common way is through SSH and prevent it from root user to log in, you need to edit / etc / ssh / sshd_config file.
- By PAM root user logon restrictions
-
Pluggable Authentication Modules (referred to as PAM ) is focused on a Linux system, pluggable, modular and flexible authentication methods. By PAM /lib/security/pam_listfile.so module, you can greatly restrict flexibility permissions for specific accounts.
Above modules can be used to refer to a list of users allowed to target by some services (such as login, ssh, and any PAM-aware program) login.
In this case, we want to disable the root user access to the system by restricting access to login and sshd service. First, /etc/pam.d/ open and edit files in the target directory services, as shown.
$ sudo vim /etc/pam.d/login OR $ sudo vim /etc/pam.d/login
Next, add the following configuration in both files.
auth required pam_listfile.so \ onerr=succeed item=user sense=deny file=/etc/ssh/deniedusers
When finished, save and close each file. Then create an ordinary file / etc / SSH / deniedusers , each line should contain a project, rather than a world readable.
In add name root, and then save and close it.
$ sudo vim /etc/ssh/deniedusers
Also provided for this purpose the required permissions.
$ sudo chmod 600 /etc/ssh/deniedusers
This method only affects PAM support programs and services. You can prevent root access to the system via ftp and e-mail clients.
For more information, please refer to the relevant manual pages.
-
$ man pam_securetty $ man sshd_config $ man pam
-