Why should I really disable root ssh login?
Solution 1
You answered your own question. By disabling remote access to root in *Nix or administrator access in Windows, you make it that much harder for someone to gain privileged access to your computer. If someone steals or brute-forces your non-privileged account password, then they only have limited access.
Solution 2
root is a dangerous account since it can literally do anything it wants on the system. You want to protect it from unauthorized access as much as possible.
By disallowing root logins via SSH, you require 2 passwords for someone to gain root, instead of 1. If someone is trying to guess or crack your passwords, this doubles their workload.
@Daniel B. in the comments is right, using keys are better than passwords, if they are passphrase-protected.
The above still applies if you only allow passphrase-protected keys instead of passwords - and still disallow root from logging in even with a key. So even if you use keys instead of passwords there is a benefit from disabling direct root login via SSH.
Related videos on Youtube
03 : 35
05 : 35
09 : 36
05 : 36
02 : 02
Brettetete
Updated on September 18, 2022Comments
-
Brettetete almost 2 years
I always read I should disable root login for SSH and login with a user which has sudo. But where is the difference between:
ssh root@vpsand
ssh myuser@vps sudo -iI don't have physical access to my server and need root permissions per remote access in some way. Is the only advantage here, that the username is unknown?
Security Tip: Disable Root SSH Login on Linux
One of the biggest security holes you could open on your server is to allow directly logging in as root through ssh, because any cracker can attempt to brute force your root password and potentially get access to your system if they can figure out your password.
It’s much better to have a separate account that you regularly use and simply sudo to root when necessary.
-
Daniel B over 8 yearsJust disable passwords completely and use public key auth. Or at least use
PermitRootLogin without-password. Also, take a look at this. -
Braiam over 8 yearsBecause there isn't a good reason to allow root login?
-
user956584 over 8 yearsBecause "root" is default admin login, so its easy target for SSH scanner. Also better install Fail2ban and login as normal user and the run "su" command -
Admin about 2 years( SSH pub/private keys) vs (SSH login with password), they are different!!! why do people keep using confusing terms for such different things
-
-
Kinnectus over 8 years:P Quick way of getting extra points! Well played that lad. Good answer though :) -
barlop over 8 yearsYou write "if you disable SSH login with passphrase-protected keys instead of passwords " <-- What does that mean? If you disable A instead of B. Do you mean if you Enable A(passphrase-protected keys) and disable B(passwords)? You could've written that more clearly.
-
LawrenceC over 8 yearsAgreed, I edited. :) -
user253751 over 8 years" If someone steals or brute-forces your non-privileged account password, then they only have limited access." - Wrong if they can just run
sudo -iand retype the password! -
Keltari over 8 years@user20574 incorrect.
-
user253751 over 8 years@Keltan Why is it incorrect?
-
Keltari over 8 years@user20574 you are making the assumption that the user has root privs.
-
user253751 over 8 years@Keltan You read the question right? This is for a situation where some user needs to be able to use root privileges.
-
Dan Getz over 8 yearsTwo passwords to gain root is withsu. Forsudo(like in the question's example and quoted advice) this is the same password, so there's only one (that you might need to type more than once). -
Daniel B over 8 years@DanGetz Depends. You can also require the target user’s (or root’s) password with
sudo. // Also, I disagree about passwords on keys being required. Keys prevent brute force attacks (targetingsshd) either way. -
Tanath over 8 yearsThe method used to gain access doesn't necessarily give them the user's password.
