Lab 007: Disable Root Login
Requirements
After doing some security audits of servers, xFusionCorp Industries security team has implemented some new security policies. One of them is to disable direct root login through SSH.
Disable direct SSH root login on all app servers in Stratos Datacenter.
Note
This lab demonstrates security best practices by disabling direct root login.
Prerequisites
- SSH access to App Server 3 with current root or sudo privileges.
- SSH daemon (sshd) is running.
Steps
Login to the app server 1 and switch to root. For the server credentials, check out the Project Nautilus documentation.
sshpass -p '********' ssh -o StrictHostKeyChecking=no tony@172.16.238.10
sudo su -
********
[root@stapp01 ~]# sudo vi /etc/ssh/sshd_config
......................
# change yes to no
PermitRootLogin no
......................
[root@stapp01 ~]# grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
# the setting of "PermitRootLogin without-password".
sed -i.bak 's/^[[:space:]]*#\?PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl enable sshd
sudo systemctl restart sshd
sudo systemctl status sshd
Repeat the same steps on App server 2 and 3.
Verification
- Confirm SSH daemon restarted successfully with
systemctl status sshd. - Attempt root login should fail with "Permission denied (publickey,password)".
- Regular user login should still work.
- Verify
PermitRootLogin noin/etc/ssh/sshd_configon all app servers.