Skip to main content

Hey Y’all!



Disabling root login is a super easy trick to increase security on Linux devices. In a lot of cases, IT admins set the root password as something simple so they remember it easily as they use it often to access a device via SSH . Furthermore, attackers typically use the root credential when trying to gain access to your device.



For this reason and more disabling root login and create root privilege users is a good security practice. The Worklet below is designed to evaluate your device to ensure Root Login is disabled.



Note: you need to make sure the users you’ve created on this device have sudo privileges.



This Worklet currently only support devices running CentOS. Check later as this script will be modified to support other linux distros



Evaluation:



#!/bin/bash



# create alias to the desired root login value for evaluation. this is the value you are looking for.

ssh_value="^PermitRootLogin yes"



# check the current conf file on the device to compare to desired value for appropriate exit value

grep -E "${ssh_value}" /etc/ssh/sshd_config



# return 0 if value exists; return non-zero if value does not exist

/ $? -eq 0 ]] && exit 1



exit 0



Remediation:



#!/bin/bash



# set the value in the conf file to disable root login access on the device

sed -i 's/^PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config



#restart the network services

service sshd restart





You’re all set! Root login is now disabled on the device. If you have any questions please feel free to reach out!

You should add this to the remediation script to make sure that the changes take effect:



service sshd restart


Good suggestion. Added to remediation


Hey, How to make this policy work for Ubuntu systems? I need to disable root login for ubuntu systems.


This should do it for you on Ubuntu Linux devices.



Remediation:


sudo passwd -l root



No need to restart any services, the root password should be disabled the next login attempt by the root account.



To unlock you would use a -u instead of -l