If you're managing Linux servers in any capacity — production, staging, or internal — you need to ask yourself one thing:
Why is root allowed to SSH in directly?
Here’s the thing: direct root login over SSH is a security risk that’s just not worth it. It gives attackers a straight shot at the most powerful user on your system. That's why one of the first things I do when hardening servers is disable it.
Let’s break down how to do that cleanly and safely.
âť—Why This Matters
Allowing root to log in over SSH is convenient, but it’s a massive attack surface:
Brute-force bots love targeting the root account
No accountability (you can’t tell who logged in)
One password = total compromise
By disabling root login:
You force users to authenticate with their own accounts
You get better visibility via sudo logs
You reduce your SSH attack surface by a mile
âś… How To Disable Root SSH Login
- SSH into your server as a non-root user:
ssh your_user@your_server
- Open the SSH config file:
sudo vi /etc/ssh/sshd_config
- Find this line:
#PermitRootLogin yes
Uncomment and change it to:
PermitRootLogin no
- Save and exit, then restart SSH:
sudo systemctl restart sshd
- Double-check it’s applied:
sudo grep -i PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
🧠Good To Know
Don’t lock yourself out — make sure your user has sudo access before doing this.
For larger environments, automate this with tools like Ansible or Terraform.
You can take it a step further by disabling password login entirely and switching to key-based auth.
🚀 Wrapping Up
Disabling SSH root login is one of those low-effort, high-impact security moves that should be standard across your entire infrastructure. It’s fast, it’s easy, and it adds a solid layer of protection.
If you haven’t done this yet — now’s the time.
Top comments (0)