How to disable SSH logins for the root account

CREATING A NORMAL USER ACCOUNT

Before you disable SSH logins for the root account, you must create a normal user account. (Otherwise, you will be unable to access your server when you disable the root account for SSH logins.)

CentOS and Fedora

To create a user and grant it administrative privileges on a server running CentOS or Fedora, follow these steps:

1. Log in to the server using SSH.
2. At the command prompt, type the following command. Replace username with the name of the user that you want to add:

   useradd username

3. Type the following command, replacing username with the name of the user that you created in step 2:

   passwd username

4. usermod -aG wheel username
   

5. To grant administrative privileges to the user, type the following command:

   visudo

   This command opens the sudoers file for editing.
6. Add the following line to the file. Replace username with the name of the user that you created in step 2:

   username ALL=(ALL) ALL

   Now the user can run commands as the root user by prefixing the command with sudo. For example, the user can view the root home directory by typing the command sudo ls /root.

7. ## Allow root to run any commands anywhere 
   username    ALL=(ALL)       ALL
   root ALL=(ALL)  ALL
   
   # Allow members of group sudo to execute any command
   %wheel ALL=(ALL) ALL
   

By default, the user can now run any command as the root user. For security reasons, however, you may want to restrict which commands the user can run as root by using the visudo command. Alternatively, you can use the su command to change to the root user account from any account (assuming you know the root password).

DISABLING SSH LOGIN FOR ROOT

After you create a normal user, you can disable SSH logins for the root account. To do this, follow these steps:

1. Log in to the server as root using SSH.
2. Open the /etc/ssh/sshd_config file in your preferred text editor (nano, vi, etc.).
3. Locate the following line:

   PermitRootLogin yes

4. Modify the line as follows:

   PermitRootLogin no

5. Add the following line. Replace username with the name of the user you created in the previous procedure:

   AllowUsers username

   This step is crucial. If you do not add the user to the list of allowed SSH users, you will be unable to log in to your server!
6. Save the changes to the /etc/ssh/sshd_config file, and then exit the text editor.
7. Restart the SSH service using the appropriate command for your Linux distribution:
   • For CentOS and Fedora, type:

     service sshd restart