In my earlier article on creating a new user + shell, I’d explained that it’s a good idea to disable direct root access via SSH. One of the reasons why we see so many failed login attempts, is because spammers constantly bombard servers with fake credentials, searching for a way in. One solution was to change the SSH port, which some in the security industry classify as “security by obscurity”, and don’t view it as a valid measure (even though I disagree).
However, another way of inhibiting hackers from spamming your server and using up resources, is to simply disable root logins. In general, this is part of the overall security paradigm of never working directly with a root account in the first place. In Linux, any user can be configured to have administrative permissions via the “sudo” command.
So in this tutorial, we’re going to learn how to do the following:
- Give an existing user “sudo” permissions
- Disable root access
Allowing a User to Access “Sudo”
If you disable root logins without first giving an existing user administrative permissions, you’ve effectively locked yourself out of the server! Since you can’t login as root, and no one else can perform root functions, you need to directly access the backend to undo the changes. So this is what we’re going to do first.
Right now, if we try and execute a sudo command with a fresh user, we see something like this:
This is because we need to add every user to whom we want to give “sudo” access, to the “sudoers” file. Here’s how to do it.
Login as Root and Execute “visudo”
This is a root operation, so you’ll first need to login as root. Once inside, type the command “visudo”. This will open the “/etc/sudoers” file, but in a safe way with checks so that you don’t mess up anything too badly!
Scroll Down to the Appropriate Line
The “vi” editor is very different from what you might be used to. It requires a specific set of keyboard presses. First, scroll down using the keyboard to the line that says this:
## Allow root to run any commands anywhere
Now position the cursor under the line starting with %wheel. Press the “Insert” button on your keyboard to enter editing mode. vi will now allow you to type in the command line.
Add the following:
[username] ALL=(ALL) ALL
Replace [username] above, with the name of the user to whom you want to give “sudo” access. Once you’ve finished typing, press the “Escape” button a couple of times. This will exit the editing mode. Now type “ZZ” (Shift + Z + Z). This will save the changes and exit visudo.
Verifying that it Works
Now let’s see if it works. Try and do the same operation that we did before. This time, it asks for the password and the command goes through as expected:
So that’s working!
Disabling Root Access
Now that we’re capable of executing root commands via an existing user, it’s safe to disable root. Here’s how to do it. Access your InterWorkx dashboard, and go to system services as shown here:
Now on the right-hand side, select to disable root logins as shown in this screenshot:
Update your changes and you’re done!
Testing Root Access
Now exist your shell and try and log in again. If all goes well, you should be met with an “Access Denied” message as shown here:
This is working as intended. It’s widely considered a bad idea to log in as root, or even to work directly with the root account. Hopefully, this tutorial will make your server just a little bit safer!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply