If you set a good password, you can protect your server from brute force attack. But it may still be possible attacker can still make brute force attack. The following instructions are for disabling the root user and allowing another user to assume the root users permissions. This adds another layer of security because an additional username and password must now be entered before gaining the root user privileges.
This article describes how to disable SSH logins for the root account. For security reasons, you should create a normal user account, and then disable SSH logins for the root account as soon as possible.
Creating a Normal User Account
Before you disable SSH logins for the root account, you must create a normal user account. (Otherwise, you will be unable to access your server when you disable the root account for SSH logins.)
Follow the below steps to create a normal user account:
1. Add the user. In the following example, we will use the user name admin. The command adduser will automatically create the user, initial group, and home directory.
[[email protected] ~]# adduser admin [[email protected] ~]# id admin uid=10018(admin) gid=10018(admin) groups=10018(admin) [[email protected] ~]# ls -lad /home/admin/ drwx------ 2 admin admin 4096 Jun 25 16:01 /home/admin/
2. Set the password for the admin user. When prompted, type and then retype the password.
[[email protected]oot ~]# passwd admin Changing password for user admin. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [[email protected] ~]#
3. For sudo permissions for your new admin user, use the following command.
[[email protected] ~]# echo 'admin ALL=(ALL) ALL' >> /etc/sudoers
4. SSH to the server with the new admin user and ensure that the login works.
[[email protected] ~]# ssh [email protected] [email protected]'s password: [[email protected] ~]$
5. Verify that you can su (switch user) to root with the admin user.
[[email protected] ~]$ su - Password: [[email protected] ~]$ whoami root
6. To disable root SSH login, edit /etc/ssh/sshd_config with your favorite text editor.
[[email protected] ~]# vi /etc/ssh/sshd_config
Change this line:
Edit to this:
7. Ensure that you are logged into the box with another shell before restarting sshd to avoid locking yourself out of the server.
[[email protected] ~]# /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [[email protected] ~]#
You will now be able to connect to your server via ssh with the admin user and then use the command su to switch to the root user.