If you're managing Linux servers in any capacity โ production, staging, or internal โ you need to ask yourself one thing:
Why is root allowed to SSH in directly?
Hereโs the thing: direct root login over SSH is a security risk thatโs just not worth it. It gives attackers a straight shot at the most powerful user on your system. That's why one of the first things I do when hardening servers is disable it.
Letโs break down how to do that cleanly and safely.
โWhy This Matters
Allowing root to log in over SSH is convenient, but itโs a massive attack surface:
Brute-force bots love targeting the root account
No accountability (you canโt tell who logged in)
One password = total compromise
By disabling root login:
You force users to authenticate with their own accounts
You get better visibility via sudo logs
You reduce your SSH attack surface by a mile
โ How To Disable Root SSH Login
- SSH into your server as a non-root user:
ssh your_user@your_server
- Open the SSH config file:
sudo vi /etc/ssh/sshd_config
- Find this line:
#PermitRootLogin yes
Uncomment and change it to:
PermitRootLogin no
- Save and exit, then restart SSH:
sudo systemctl restart sshd
- Double-check itโs applied:
sudo grep -i PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
๐ง Good To Know
Donโt lock yourself out โ make sure your user has sudo access before doing this.
For larger environments, automate this with tools like Ansible or Terraform.
You can take it a step further by disabling password login entirely and switching to key-based auth.
๐ Wrapping Up
Disabling SSH root login is one of those low-effort, high-impact security moves that should be standard across your entire infrastructure. Itโs fast, itโs easy, and it adds a solid layer of protection.
If you havenโt done this yet โ nowโs the time.
Top comments (0)