Books / How To Secure A Linux Server / Chapter 8
Disable Root Login
Warning: !! PROCEED AT YOUR OWN RISK !!
Proceed At Your Own Risk
This sections cover things that are high risk because there is a possibility they can make your system unusable, or are considered unnecessary by many because the risks outweigh any rewards.
Why disable root login?
If you have sudo configured properly, then the root account will mostly never need to log in directly – either at the terminal or remotely.
Be warned, this can cause issues with some configurations!
If your installation uses sulogin
(like Debian) to drop to a root console during boot failures, then locking the root account will prevent sulogin
from opening the root shell and you will get this error:
Cannot open access to console, the root account is locked.
See sulogin(8) man page for more details.
Press Enter to continue.
To work around this, you can use the --force
option for sulogin
. Some distributions already include this, or some other, workaround.
An alternative to locking the root acount is set a long/complicated root password and store it in a secured, non digital format. That way you have it when/if you need it.
Goals
- locked root account that nobody can use to log in as root
Notes
- Some distributions disable root login by default (e.g. Ubuntu) so you may not need to do this step. Check with your distribution’s documentation.
Steps - Disable root login
-
Lock the root account:
sudo passwd -l root