Tired of always being afraid someone will hack into your Linux computer/server?

One of the most important steps is to make sure the attacker can’t log in with the “root” account.

In order to do this, you have to:

  1. Make sure you can “switch user” to root (you will need to be able to control your system, after all)
  2. Make sure that nobody can log in with root, neither remote nor local.

Table of Contents

Switch user to root

There are more than one ways to do this, but this is the method I prefer (since I’m also a Pluggable Authentication Modules a.k.a. PAM fan). Please keep in mind that all commands have to be run in the console and disregard the “#” or the “$” (which mark commands that have to be run as root or regular user). Ubuntu users will need to also search for the “sudo” method.

Add your user to the wheel group

# usermod -G wheel -a username

Change permissions for su

# nano -w /etc/pam.d/su

Add here the following line(s):

auth sufficient pam_wheel.so trust use_uid
auth required pam_wheel.so use_uid

On some systems you might have to add the same lines to the file /etc/pam.d/su-l. Please log out now and log back in to test that it’s running as it should:

$ su -
#

Don’t proceed to the next step until you have made sure it works, or else you’ll have to hack into your own Linux machine (this will be covered at a later date).

Disable root password (yes, erase it!)

Using usermod

# usermod -L root

For information on usermod:

man usermod

Directly editing the password file

# nano -w /etc/shadow

The first line should look similar to this one (only the huge string should be different):

root:$6$K8ZWaM00$mb9zw4hCm[....]9G2ujtkI29vz7gJ6bXG4scracDI31:15348:0:99999:7:::

After you edit the file, it should look like this:

root:!!:15348:0:99999:7:::

Disable root login via SSH

This isn’t really necessary, but in case you decide at a later date to re-enable the root password, you’ll not want anyone to try to guess your password.

# nano -w /etc/ssh/sshd_config

Look for the line that contains:

PermitRootLogin

Replace that line with:

PermitRootLogin no

Done! Now log out of all accounts and you’ll only be able to be root if you “su” from one of the “wheel” group accounts.

Feedback is welcomed. Any other tips to be added, drop me a line (or a comment below).