Disable direct root login and create dedicated SSH user

Posted at August 22, 2016 at 10:33 am by Jithin

It is very important to secure your Linux server to protect your data, intellectual property, and time from the hands of crackers (hackers). Everybody says that Linux server is secure by default and to some extent this is true. Linux has in-built security model by default. We need to tune it up and customize as per our need which may help to make the system more secure. Linux is harder to manage, but it offers more flexibility and configuration options. Securing a server from the hands of hackers and crackers is a challenging task for a System Administrator.

The most important steps to secure your server is to disable the direct root login and create a dedicated SSH user. Enabling direct root login may help the hackers to login your server very easily.  Never login as root user for that reason. You should use sudo to execute root level commands. By using sudo we can greatly enhance the security of the system without sharing root password with other users and admins. It provides simple auditing and tracking features too.

Here we can discuss about how to disable direct root login and how to create a dedicated SSH user.

 

Disable direct root login

Please note that you do not log out from your system after disabling the direct root login. Follow the steps until you create a dedicated SSH user and then you can log out. Otherwise you will not be able to login to your system again. Please be careful about this.

Root user is the one who has the ability to do anything in your system. Imagine if someone got access to your root user account?! Let’s disable direct root login by using the below steps.

Edit the SSH main configuration page

vi /etc/ssh/sshd_config

There you can find the below line.

#PermitRootLogin yes

Change it as below.

PermitRootLogin no

Restart SSH service to update the changes.

/etc/init.d/sshd restart

Now you have disabled direct root login. Please follow the below steps to create a dedicated SSH user.

 

Create dedicated SSH user

After disabling the direct root login, you need to create a dedicated SSH user. (Only this user will have SSH login permission in your system.)

We are going to create a dedicated user called “isusr” Please follow the below steps.

Create the user account.

useradd isusr

Set Password for the user.

passwd isusr

Add this user to “/etc/sudoers” file. Simply edit this file or run the below command.

visudo

Here you can find a line as shown below.

root    ALL=(ALL)       ALL

The above line means root user can run any commands anywhere. Add the given below line under this line.

isusr  ALL=(ALL)       ALL

Now save the file.

From now on, the user “isusr” have the permission to run any commands anywhere. For this to work you have to add “sudo” to the beginning of every command that you execute as user “isusr”.

For example, if you are logged in as “isusr” and want to restart MySQL. You have to do it as shown below.

sudo /etc/init.d/mysql restart

You can also switch this user to root user. For this please run the below command.

sudo su –

Now you have disabled direct root login and created a user called “isusr” with full permission in your system. This does not mean “isusr” is a dedicated SSH user. There maybe other users in your system that have SSH shell access. Please follow the below steps to block all those users and to set “isusr” as dedicated SSH user.

Edit the SSH main configuration file.

vi /etc/ssh/sshd_config

Add the below lines.

AllowUsers isusr

Save the file and restart SSH service to update these changes.

/etc/init.d/sshd restart

Now you have created a dedicated SSH user.

 

If you need any further assistance please reach our support department.

 

 

0.00 avg. rating (0% score) - 0 votes

You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply