Linux “root” tweaks

Tired of always being afraid someone will hack into your Linux computer/server?

One of the most important steps is to make sure the attacker can’t log in with the “root” account.

In order to do this, you have to:

  1. Make sure you can “switch user” to root (you will need to be able to control your system, after all)
  2. Make sure that nobody can log in with root, neither remote nor local.

Switch user to root

There are more than one ways to do this, but this is the method I prefer (since I’m also a Pluggable Authentication Modules a.k.a. PAM fan). Please keep in mind that all commands have to be run in the console and disregard the “#” or the “$” (which mark commands that have to be run as root or regular user). Ubuntu users will need to also search for the “sudo” method.

Add your user to the wheel group

Change permissions for “su”

Add here the following line(s):

On some systems you might have to add the same lines to the file /etc/pam.d/su-l. Please log out now and log back in to test that it’s running as it should:

Don’t proceed to the next step until you have made sure it works, or else you’ll have to hack into your own Linux machine (this will be covered at a later date).

Disable root password (yes, erase it!)

Using usermod

For information on usermod:

Directly editing the password file

The first line should look similar to this one (only the huge string should be different):

After you edit the file, it should look like this:

Disable root login via SSH

This isn’t really necessary, but in case you decide at a later date to re-enable the root password, you’ll not want anyone to try to guess your password.

Look for the line that contains:

Replace that line with:

Done! Now log out of all accounts and you’ll only be able to be root if you “su” from one of the “wheel” group accounts.

Feedback is welcomed. Any other tips to be added, drop me a line (or a comment below).