Shulou(Shulou.com)06/01 Report--

Editor to share with you how to disable Root login under Linux, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

1. Modify the login Shell of Root users

We can change the login Shell of Root users to / sbin/nologin by editing the / etc/passwd file.

$sudo vim / etc/passwd root:x:0:0:root:/root:/bin/bash to root:x:0:0:root:/root:/sbin/nologin

After that, logging in with Root will only display a message "This account is currently not available". Of course, you can also customize the error message by modifying / etc/nologin.txt.

This method can only prohibit login scenarios that require Shell users, but Root accounts can still be used for operations such as Sudo and FTP.

two。 Prohibit Root users from logging in on any terminal device

In the PAM module under Linux, there is a module called pam_securetty, which can limit Root users to login only on secure terminals.

The so-called security terminal is determined by / etc/securetty, which contains several lines of tty device names (one device name per line, not preceded by / dev/), and only these device names allow Root users to log in.

Therefore, we can prevent Root users from logging in by emptying the list of security terminals.

$sudo mv / etc/securetty / etc/securetty.orig $sudo touch / etc/securetty $sudo chmod 600 / etc/securetty

This method only affects programs that need to assign terminals, such as display managers such as login,gdm/kdm/xdm, and operations such as Su, Sudo, SCP, SFTP, SSH, and so on.

3. Prohibit Root users from logging in through SSH

Modify the SSH configuration file / etc/ssh/sshd_config by adding the PermitRootLogin no configuration item to it.

Then, restart the SSHD service for the configuration to take effect.

$sudo systemctl restart sshd OR $sudo service sshd restart

Obviously, this approach only affects the SSH family of tools such as SSH, SCP, SFTP, and so on.

4. Prohibit Root users from accessing Login and SSHD services through the PAM module

We can use the / lib/security/pam_listfile.so module to restrict specified users from accessing certain services. The steps are as follows:

Create a file that needs to disable access to the user, such as: / etc/deniedusers. Add Root or any user name that you don't want it to access the service.

$sudo echo root | tee-a / etc/deniedusers

Set permissions for this file.

$sudo chmod 600 / etc/ssh/deniedusers

Add the following configuration to the / etc/pam.d/login or / etc/pam.d/sshd file.

Auth required pam_listfile.so\ onerr=succeed item=user sense=deny file=/etc/ssh/deniedusers above is all the content of this article "how to disable Root login under Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.