DEV Community

Anusha Kuppili
Anusha Kuppili

Posted on

🔒 Disable Root SSH Login — Simple Step, Huge Security Win

If you're managing Linux servers in any capacity — production, staging, or internal — you need to ask yourself one thing:

Why is root allowed to SSH in directly?

Here’s the thing: direct root login over SSH is a security risk that’s just not worth it. It gives attackers a straight shot at the most powerful user on your system. That's why one of the first things I do when hardening servers is disable it.

Let’s break down how to do that cleanly and safely.

âť—Why This Matters
Allowing root to log in over SSH is convenient, but it’s a massive attack surface:

Brute-force bots love targeting the root account

No accountability (you can’t tell who logged in)

One password = total compromise

By disabling root login:

You force users to authenticate with their own accounts

You get better visibility via sudo logs

You reduce your SSH attack surface by a mile

âś… How To Disable Root SSH Login

  1. SSH into your server as a non-root user:
ssh your_user@your_server
Enter fullscreen mode Exit fullscreen mode
  1. Open the SSH config file:
sudo vi /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode
  1. Find this line:
#PermitRootLogin yes
Enter fullscreen mode Exit fullscreen mode

Uncomment and change it to:

PermitRootLogin no
Enter fullscreen mode Exit fullscreen mode
  1. Save and exit, then restart SSH:
sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode
  1. Double-check it’s applied:
sudo grep -i PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
Enter fullscreen mode Exit fullscreen mode

đź§  Good To Know
Don’t lock yourself out — make sure your user has sudo access before doing this.

For larger environments, automate this with tools like Ansible or Terraform.

You can take it a step further by disabling password login entirely and switching to key-based auth.

🚀 Wrapping Up
Disabling SSH root login is one of those low-effort, high-impact security moves that should be standard across your entire infrastructure. It’s fast, it’s easy, and it adds a solid layer of protection.

If you haven’t done this yet — now’s the time.

Top comments (0)