How to disable or restrict direct root login via console or ssh

Below article is a must read to harden your existing sshd configuration file

Best practices to harden and increase security with ssh (ciphers, MACs etc)

By default root user had direct login access to the Linux machine which can be dangerous and in most organisation it is restricted

But how do we restrict a direct root user login?
Firstly ssh based direct root login must be diabled which can be done via sshd_config

Modify your /etc/ssh/sshd_config and make sure PermitRootLogin is disabled as shown below

# grep -i PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no

By default the value would be yes, so change it to "no" and save your file follwed by a sshd service restart to make the changes affect

# systemctl restart sshd.service

Using this you disabled ssh based direct root login but what if someone gets access to the GUI console, which can be iLO for a physical blade and a GUI console for VMware via vnc or some other tool?
The above changes will not restrict a direct root login via console as that is not ssh

Disable direct root login via console

To achieve this clear the contents of "/etc/securetty"
By default this file contains the content of all the terminals on which a direct root login would be allowed

# cat /dev/null > /etc/securetty

Now you can try to do a root login via console, and it should fail

I hope the article was useful.

Leave a Comment