Securing SSH: Disable Root Login and Only Allow Specific Users to Login

SSH — Secure Shell — is a common method of securely logging into a remote server. First released in the mid 1990’s, it’s estimated that more than 2 million people now use SSH. Over the years, SSH has proven itself to be pretty secure, but by changing some of the default settings and behaviors it can be made even more secure.

This second article in the Securing SSH series demonstrates how to disable root login, and control access by only allowing specific users to login.

Why should you disable root logins?

If someone is able to log in with a root account then they have complete, unprotected access to the entire system. By disabling root logins you require a hacker to do more work, since they would then have to gain access to another account that can login, and then escalate their privileges using the root account once they are logged in.

Another reason to disable root logins is because pretty much all Unix-based system have a root user. If a hacker is trying to bruteforce their way into a machine, having an account name that they know is valid increases the attack vector, making it easier and faster to compromise a system.

Back Up

Begin by making a backup copy of the sshd_config file:

Disable root SSH logins

Next, open the sshd_config file:

Find the option for PermitRootLogin, and change its value to no:

Only allow certain users or groups to login

Another way to restrict access is to explicitly declare which users or groups are allowed to SSH in. This is accomplished with the AllowUsers and AllowGroups directives.

For this example, say that we want to only allow the users Admin, Bob, and Alice to login.

Open the sshd_config file if it’s not still open:

AllowUsers directive

One method is to use the AllowUsers directive. On a new line in the sshd_config add AllowUsers, followed by the list of users that you want to have SSH access:

AllowGroups directive

To make things easier to manage, some prefer to use the AllowGroups directive. With this method, you simply add or remove users from a predefined group to control their access to SSH.

Begin by making a new group:

Next, add the desired users to the new group:

Finally, edit sshd_config. On a new line, add the AllowGroups directive and the list of group names to allow.

If you need to remove a user from the sshusers group (thus, preventing them from logging in through SSH), then use the deluser command:

Restart SSH

After all of the above changes are made SSH must be restarted:

Downsides and warnings

Before disabling root access, make sure there is another system user that can login via SSH. If not, you might lock yourself out of your server.

The main downside to this method is that it requires an extra step for you to obtain root access to your server: You first have to login with a non-root user, and then use sudo, su root, or some other method to obtain root privileges. This is definitely a fair trade-off for the amount of extra security it provides.

Wrapping Up

By disabling root SSH logins, and limiting SSH access to specific accounts you drastically reduce the possible attack vectors, making bruteforce attempts nearly impossible. These techniques, combined with disabling SSH password logins, are the basis for securing SSH access to your servers.

Leave a Reply

Your email address will not be published. Required fields are marked *

×Mike Everhart

Need Some More Help? Let's Talk!

I'd love to work with you! Fill out the form below to schedule a free consultation to discuss your needs and how I can help.

Need More Help?