Disable root login and secure sshd

A short note for how to disable root login and secure sshd on Linux.

Initial

  • To disable direct root login through ssh protocol, first you have to create one account which will be a system administrator.
  • Try NOT to assign this user for web or httpd document root.
  • Try to disable httpd userdir for this user if you have turned on mod_userdir for Apache httpd server.
  • For this example, let assume josh as a system administrator.
  • Add new account josh and assign to wheel group as secondary.

sshd Configuration

  • sshd config file is under /etc/sshd_config and use any editor to change these values.
  • Find

  • Un-comment and/or Change to

  • Find

  • Un-comment and/or Change to

  • Find

  • Un-comment and/or Change to

  • Find

  • Un-comment and/or Change to

  • Find

  • Un-comment and/or Change to

pam su Configuration

  • su configuration is under /etc/pam.d/su and use any editor to change these values.

  • Un-comment and/or Change to

Allow wheel to sudoer

  • Find the following line.

  • Un-comment and/or Change to

Restart sshd

  • Before restarting sshd, you have to make sure that every single modification is in right hand.
  • Any single mistake, you will fail to su root.