How to Limit Your Root User Access in Debian and Ubuntu

Verified and Tested 1/7/16

Introduction

What we’ll be doing in this tutorial is making it so that you can no longer SSH using your root user. In this article, we are using Ubuntu 14.04 64bit in our Cloud. However,  this also works on any modern version of Ubuntu or Debian. We will be making a new user on the server to use as our new SSH user and we will be setting the user up to be a sudo access user. In other words, the new user will be able to access commands as if it were the root user!

Prerequisites

A server with root access on Debian or Ubuntu. Need a Debian or Ubuntu server? Try one of our VPS hosting solutions.

Limiting Your Root User Access in Debian and Ubuntu

First, we will want to SSH into our server as the root user using your preferred SSH client. Now what we will want to do is run the below command to make a new user and their home directory.

adduser newuser --home /home/newuser

You will want to change “newuser” to be the new user that you wish to create. After running this, you will be prompted to create a password for the user. After creating the password, you will be prompted to add details to this new user. These details are for you and you may fill them out if you’d like. If not, simply press enter through each step and finish by verifying your new user information and entering ‘y’ for yes and pressing enter.

Remember to always use strong passwords!

Now, we will want to edit our sudoers file so that our new user can run commands like the root user.

visudo

note*In Debian, you do not need to configure your visudo. In fact, all you need to do is run:

adduser newuser sudo

Where newuser is your username. If you are running Debian, you may skip to the testing the new user section below.

In your sudoers file, you will need to locate the area that has the below information. This is where we will be adding our new user’s rights. Right under the root entry, you will want to make the entry:

newuser ALL=(ALL:ALL) ALL

The newuser entry is your new user. It should look similar to the below picture.

If you don’t know how to edit in vi, you will want to (on your keyboard) hit the Insert button. Then go to the location to add the new user information and type it out. When you are done hit the ESC key on your keyboard and then do “:wq!” to save your changes.

Now the next thing to do is to test the new user! The best way to do this is to either log out or create a new SSH session using that new username and password to log in. Once you log in successfully, we can test your sudo access by going into the SSHD configuration file as the new user. This is because we still have one more change to do to prevent root log in. You can use your favorite editor for this part, we are using vi.

Note: To use other commands on the server “as root” you will need to preface it with sudo

sudo vi /etc/ssh/sshd_config

This command will open the SSHD configuration file like you are the root user. You will want to locate the “PermiteRootLogin” option indicated by the green indicator in this picture and change the “yes” to a “no”

locate the “PermiteRootLogin” option indicated by the green indicator in this picture and change the “yes” to a “no”

Once done, save and exit the file. Then run:

sudo service ssh restart

You will now be unable to SSH to your server as the root user.

Thank you for following along this how-to, we hope you enjoyed it.  Please check back here for new updates or check out our related articles below.