How To Disable The Root Account On Linux
Disabling the root account on a Linux system might seem crazy, but that’s where you’re wrong. As it turns out, the disabling of the root user is a solid security measure. In fact, many Linux operating system developers agree on the root user subject, and it’s increasingly common disable the root account on these systems.
A system without a direct line to the root user isn’t immune to attack, though chances are are greatly reduced that an attacker can get in to the system and totally mess it up. This is mainly because even with access to sudo, certain areas of the system are not modifiable if you disable the root account on Linux.
Pre-requisites
Before going on to disable the root account on the system, a few things need taking care of. The first step in this process is to make sure that all users with the ability to run commands as sudo have a secure password. Having a weak user password will negate securing the root account, and that’s bad news.
The quickest way to secure a user account is to simply change the password. To do this, open up a new terminal and run the passwd command, along with your username. Doing this will force the system to reset to a new password that the user enters.
sudo passwd username
In the “enter new UNIX password” prompt, enter a system password that is memorable and not a dictionary word. Additionally, try not to reuse old passwords.
Having a hard time finding a good password to secure your user account? Try out Secure Password Generator. It specializes in making smart, secure passwords for free!
Now that usernames with access to sudo have secure passwords, it’s time to review the sudoers file. Check out our guide here and learn how to disable sudo access for any accounts you believe unworthy to run root-level commands.
Disable The Root Account
Disabling the root account requires some form of superuser access. Luckily, disabling and scrambling the password doesn’t specifically require logging in as the root user. Instead, any user on the system with access to sudo will work. To gain a root terminal shell without logging in as the root system user, do the following in a terminal window:
sudo -s
Running sudo -s allows any user with the correct privileges to access root and execute system-level commands, much like a root user can.
In the terminal, use the passwd command and disable the account so that no users on the system have the ability to log in to it.
passwd -l root
Locking the account is a solid way to secure the root account. However, it is not the only way to secure it. If you feel like locking won’t be effective enough, scrambling and giving the account an unusable password is the way to go. To scramble the root account, enter the following command in a terminal:
usermod -p '!' root
Scrambling the password is instant. As soon as the usermod command finishes, the root password is inaccessible.
Done locking the root account up? Exit the superuser shell with the exit command to finish up the process.
Re-enabling Root
Having the root account disabled is good security practice. Still, having access to it has its perks. Mainly, the ability to modify your Linux system to its full potential. If you’ve decided to turn the root account on your Linux PC back on, the process is easy to reverse.
In the terminal, run sudo -s, like last time. Doing this gives the terminal superuser access. From here, it’ll be possible to de-scramble the password.
Using the passwd command, unlock the Root account.
passwd root
Running the passwd root command forces a password reset. Be sure to set the new root password to something secure. When the password is done re-setting, log out of the terminal with the exit command.
Root – Best Practices
Disabling root (or at least securing the password) is a good start, but not enough in terms of security. If you want to truly protect your Linux system, try following these basic steps:
- Ensure that your root password is no shorter than 14 characters long. Having a long password makes it harder to guess.
- Never use the same password for a user account and the root account.
- Change passwords every month or so, on every account, including root.
- Always use numbers, as well as upper/lower case letters and symbols in passwords.
- Create special administrator accounts with sudoer privileges for users that need to run superuser commands, rather than giving out the system password.
- Keep your SSH keys secret and only allow trustworthy users to log in as root over SSH.
- Enable two-factor authentication during login to prevent your system from being tampered with.
- Make full use of the Linux firewall on your system.
Nice Article.. I like the way you explain each and every point about the Root account and the benefits of disabling the root account.