Disable direct root login and create dedicated SSH user
It is very important to secure your Linux server to protect your data, intellectual property, and time from the hands of crackers (hackers). Everybody says that Linux server is secure by default and to some extent this is true. Linux has in-built security model by default. We need to tune it up and customize as per our need which may help to make the system more secure. Linux is harder to manage, but it offers more flexibility and configuration options. Securing a server from the hands of hackers and crackers is a challenging task for a System Administrator.
The most important steps to secure your server is to disable the direct root login and create a dedicated SSH user. Enabling direct root login may help the hackers to login your server very easily. Never login as root user for that reason. You should use sudo to execute root level commands. By using sudo we can greatly enhance the security of the system without sharing root password with other users and admins. It provides simple auditing and tracking features too.
Here we can discuss about how to disable direct root login and how to create a dedicated SSH user.
Disable direct root login
Please note that you do not log out from your system after disabling the direct root login. Follow the steps until you create a dedicated SSH user and then you can log out. Otherwise you will not be able to login to your system again. Please be careful about this.
Root user is the one who has the ability to do anything in your system. Imagine if someone got access to your root user account?! Let’s disable direct root login by using the below steps.
Edit the SSH main configuration page
vi /etc/ssh/sshd_config
There you can find the below line.
#PermitRootLogin yes
Change it as below.
PermitRootLogin no
Restart SSH service to update the changes.
/etc/init.d/sshd restart
Now you have disabled direct root login. Please follow the below steps to create a dedicated SSH user.
Create dedicated SSH user
After disabling the direct root login, you need to create a dedicated SSH user. (Only this user will have SSH login permission in your system.)
We are going to create a dedicated user called “isusr” Please follow the below steps.
Create the user account.
useradd isusr
Set Password for the user.
passwd isusr
Add this user to “/etc/sudoers” file. Simply edit this file or run the below command.
visudo
Here you can find a line as shown below.
root ALL=(ALL) ALL
The above line means root user can run any commands anywhere. Add the given below line under this line.
isusr ALL=(ALL) ALL
Now save the file.
From now on, the user “isusr” have the permission to run any commands anywhere. For this to work you have to add “sudo” to the beginning of every command that you execute as user “isusr”.
For example, if you are logged in as “isusr” and want to restart MySQL. You have to do it as shown below.
sudo /etc/init.d/mysql restart
You can also switch this user to root user. For this please run the below command.
sudo su –
Now you have disabled direct root login and created a user called “isusr” with full permission in your system. This does not mean “isusr” is a dedicated SSH user. There maybe other users in your system that have SSH shell access. Please follow the below steps to block all those users and to set “isusr” as dedicated SSH user.
Edit the SSH main configuration file.
vi /etc/ssh/sshd_config
Add the below lines.
AllowUsers isusr
Save the file and restart SSH service to update these changes.
/etc/init.d/sshd restart
Now you have created a dedicated SSH user.
If you need any further assistance please reach our support department.
