When hardening an Ubuntu server for internet exposure, disabling root login is a fundamental security measure. While you've already locked the root password using sudo passwd -l root, this approach has subtle limitations that professional sysadmins should understand.
For comprehensive protection, we need to implement multiple layers of security:
# 1. Lock the root account
sudo passwd -l root
# 2. Modify SSH configuration (even if already done)
sudo nano /etc/ssh/sshd_config
Ensure these lines exist:
PermitRootLogin no
PasswordAuthentication no
Then restart SSH:
sudo systemctl restart sshd
The SSH modifications handle remote access, but for local console logins, we need additional measures. Create/edit the following file:
sudo nano /etc/securetty
Remove all entries or comment them out to prevent root login from any terminal:
# tty1
# tty2
# tty3
# etc...
For enterprise environments, consider adding this to your PAM configuration:
sudo nano /etc/pam.d/login
Add this line near the top:
auth required pam_securetty.so
Test your setup with these commands:
# Check root account status
sudo passwd -S root
# Attempt SSH as root (should fail immediately)
ssh root@localhost
# Verify PAM configuration
sudo pam_tally2 --user=root
For older Ubuntu versions or systems with special requirements, you might need to:
# Completely remove the root password hash
sudo usermod -p '!' root
# Or alternatively
sudo chage -E 0 root
Remember that some init scripts might still require root access. In such cases, consider using sudo with specific permissions in your /etc/sudoers file instead of completely disabling root.
When administering Ubuntu servers, it's common to temporarily enable root access for maintenance tasks, but leaving it enabled poses significant security risks. Here's how to properly disable it while maintaining system functionality.
There are several approaches to disable root login, each with different implications:
# Method 1: Lock the password (common but potentially problematic)
sudo passwd -l root
# Method 2: Modify PAM configuration (more thorough)
sudo nano /etc/pam.d/common-auth
# Add or modify:
auth required pam_deny.soFor comprehensive protection, implement multiple layers:
# 1. First lock the root account
sudo passwd -l root
# 2. Disable root SSH access (if not already done)
sudo nano /etc/ssh/sshd_config
# Ensure these lines exist:
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM yesSome services might require root access. For these cases:
# Create limited sudo privileges for specific services
sudo visudo
# Add line:
service-username ALL=(ALL) NOPASSWD: /path/to/required/commandAfter making changes, test your setup:
# Check root account status
sudo passwd -S root
# Expected output: "root L ..." (L indicates locked)
# Test SSH access (from another machine)
ssh root@yourserver
# Should immediately reject with "Permission denied"For physical or console access prevention:
# Edit securetty to prevent root login on terminals
sudo nano /etc/securetty
# Comment out all lines or remove the file entirely