Tutorial
How To Disable Root Login on Ubuntu 20.04
The author selected Open Internet/Free Speech Fund to receive a donation as part of the Write for DOnations program.
Introduction
All Linux-based machines come with a default root user that has all privileges on the machine; by default, you always act as a root user (a superuser). Good security practices recommend that you disable the root login over SSH to prevent unauthorized access to your Linux-based machine by any other user. Disabling root login prevents root access over SSH to your Linux-based machine, which means that no one will have unlimited privileges. Following the recommended security practices, you should create an additional user with almost all superuser privileges to access the account.
In this tutorial, you will disable the root login on Ubuntu, preventing unauthorized root access over SSH and improving your Linux-based system’s security.
Prerequisites
To complete this tutorial, you will need:
- One Ubuntu 20.04 server with a non-root user with
sudoprivileges, a firewall, and at least 1GB of RAM, which you can set up by following the Ubuntu 20.04 initial server setup guide.
Step 1 — Logging In and Checking auth.log
In this step, you will access your server via your sudo-enabled, non-root user to check the authentication attempts to your server. By reviewing the authentication log, you may see both authorized and unauthorized login attempts.
During the prerequisites, you created a new user and added that user to the sudo group to grant administrative privileges. You will use this sudo user to access your machine because you won’t be able to SSH as a root user after disabling the root login.
Based on your chosen login method, log into your server using SSH. If you logged into your root account using the SSH keys during the initial server setup, you must use a key-based mechanism as password authentication is disabled when using a key-based login for your server. Otherwise, use the password-based login with the sudo-enabled user password.
Log into your server as your sudo-enabled user (in this tutorial, it will be sammy) using the following command for password-based login:
- ssh sammy@your_server_ip
If using a key-based login method, log into your server as your sudo-enabled user with the following command:
- ssh -i your_private_key sammy@your_server_ip
The -i flag represents the identity file from which your_private_key is read for authentication.
Next, inspect the auth.log file by moving to the /var/log directory:
- cd /var/log/
Use cat auth.log to display the contents of the file:
- sudo cat auth.log
Enter your password if prompted.
You will receive an output similar to this:
OutputMay 29 18:46:32 ubuntu sshd[3886]: Disconnected from invalid user cally 43.155.90.144 port 47454 [preauth]
May 29 18:51:56 ubuntu sshd[3890]: Received disconnect from 195.38.129.16 port 10017:11: Bye Bye [preauth]
May 29 18:51:56 ubuntu sshd[3890]: Disconnected from authenticating user root 195.38.129.16 port 10017 [preauth]
May 29 18:52:24 ubuntu sshd[3892]: Received disconnect from 178.128.234.248 port 58660:11: Bye Bye [preauth]
May 29 18:52:24 ubuntu sshd[3892]: Disconnected from authenticating user root 178.128.234.248 port 58660 [preauth]
May 29 18:52:34 ubuntu sshd[3894]: Received disconnect from 43.134.106.128 port 33854:11: Bye Bye [preauth]
May 29 18:52:34 ubuntu sshd[3894]: Disconnected from authenticating user root 43.134.106.128 port 33854 [preauth]
May 29 18:53:07 ubuntu sshd[3896]: Invalid user projects from 176.183.60.72 port 42070
May 29 18:53:07 ubuntu sshd[3896]: Received disconnect from 176.183.60.72 port 42070:11: Bye Bye [preauth]
May 29 18:53:07 ubuntu sshd[3896]: Disconnected from invalid user projects 176.183.60.72 port 42070 [preauth]
May 29 18:57:27 ubuntu sshd[3900]: Received disconnect from 92.255.85.135 port 20436:11: Bye Bye [preauth]
May 29 18:57:27 ubuntu sshd[3900]: Disconnected from authenticating user root 92.255.85.135 port 20436 [preauth]
May 29 19:06:40 ubuntu sshd[3903]: Invalid user default from 27.71.207.190 port 57513
May 29 19:06:41 ubuntu sshd[3903]: Connection closed by invalid user default 27.71.207.190 port 57513 [preauth]
...
The auth.log file logs all authentication attempts made to a server. You might see a lot of unknown and unauthorized requests being received by your server. For this reason, you might want to disable root login on your system and rotate your keys and passwords regularly.
You have now reviewed the authentication logs that indicate your server has received more than just your authentication requests. Next, you will update your server’s SSH configuration so that the root access is completely disabled on your server.
Step 2 — Disabling Root Login
In this step, you will edit the sshd_config file to disable the root login and then restart the sshd daemon to read the configuration after the modifications.
The sshd_config file stores the SSH daemon configuration containing the parameters used by sshd. The daemon is responsible for handling SSH connections. You need to restart the sshd daemon to apply the configuration changes. This configuration change will instruct the sshd not to permit root login over SSH.
Open the file sshd_config located in the /etc/ssh directory using nano or your favorite text editor:
- sudo nano /etc/ssh/sshd_config
Review the file, looking for the PermitRootLogin line:
Output...
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
...
Change the value of the key PermitRootLogin from yes to no:
Output...
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
...
Save and close the file.
Next, you will restart the sshd daemon to read the configuration after the modifications you just made.
Use the following command to restart the daemon:
- sudo systemctl restart sshd
This command will restart the sshd service using systemctl.
In this step, you changed the configuration file to deny root login requests and restarted the sshd to read the latest configuration. Next, you will test whether root login is disabled or not by making a root login attempt to your server.
Step 3 — Testing Root Login
After disabling the root login, try logging into a new terminal session with SSH as root. Use the following commands based on your preferred login mechanism.
If using password-based login:
- ssh root@your_server_ip
If using key-based login:
- ssh -i your_private_key root@your_server_ip
The attempt to SSH as root will fail with an error message like this:
Outputroot@your_server_ip: Permission denied (publickey).
To access to server again, log into your server with the sudo-enabled non-root user credentials to confirm that you can still access the server.
If using password-based login:
- ssh sammy@your_server_ip
If using key-based login:
- ssh -i your_private_key sammy@your_server_ip
You can now continue using the server as needed.
Conclusion
In this article, you configured the sshd configuration to disable the root login on Ubuntu. Now you know how to prevent root login to your Linux-based machines, thus adding an extra layer of security to your machines.
To continue setting up your machine, read more on How to Keep Ubuntu 20.04 Servers Updated.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Apparently
sshdwas renamed tossh? The restart command I needed in Ubuntu 22.10 wasOtherwise I got this error message: