The root user has superuser privileges in a VPS (virtual private Server) setup. This allows them unrestricted access to the system; meaning they can do anything on the system. For security reasons, it’s however advised to disable root user from direct user server access. Instead, using a regular user and giving them superuser privileges is recommended. This article focuses on how to disable root user login.

To achieve this, see below a highlight and an explanation of the steps involved.

1. Connect to the VPS
2. Create new user
3. Grant the new user sudo privileges
4. Check if the new user is able to execute the root tasks
5. Disable the root user
6. Final Test.

How to connect to VPS on SSH

• Access the VPs on SSH. Use your preferred SSH client. If on the terminal, use the following command.

ssh root@Vps-IP #assumed that the ssh port is 22
ssh root@Vps-IP -p ssh-port    #Use this when a different port is set

How to create a new user

Once logged into the VPs, create a new user who will serve as the root user. Execute the following command to create a user

adduser newuser  #where newuser is the name of the new user. Follow the promts as needed and share the required information

Since the user created does not have administrative privileges, run the following command to give the user sudo access.

usermod -aG sudo newuser    ##Debian/Ubuntu
usermod -aG wheel newuser    #CentOS/RHEL

If the above command throws an error, the sudo group does not exist. In some distributions, the group used to grant sudo privileges may vary or have a different name. To further determine the group used for granting sudo privileges run the following command:

sudo visudo

once the above file opens, locate the line that begins with ‘%sudo’ or ‘%admin’ or any other name, but starts with the percentage sign, usually below the comment:”##Allows people in group wheel to run all commands” and run the usermod -aG sudo newuser command and replace the name sudo with the name identified in the above check.

How to change or set a user password on SSH

If you were not asked for a password when creating the new user, proceed and set up a password. Run the command below.

passwd newuser #where newuser is the username of the user you just created. Enter  the new password and confirm.

Test the new user

Switch to the new user created and test if this user can execute the root commands. To switch to the new user, run the following command.

su - newuser   #switch to the new account; enter the password on prompt.

Once you have switched to the new user, you can check if you are able to run the administrative sudo commands by running the following.

sudo ls -la /root     #This will check if the new user is able to list, or read the content in the root folder.

If the above works as needed, proceed to disable the root login. While still logged in, edit the ssh configuration file. Open the file with your preferred text editor.

sudo nano /etc/ssh/sshd_config

Locate the line with the root access settings, that reads: “PermitRootLogin yes” and replace this directive with “PermitRootLogin no”. If the directive does not exist, add it. Save the file and exit. Proceed to restart the ssh service by running the command:

systemctl restart sshd     #in centos
OR
service sshd restart #in centos
sudo service ssh restart  #in ubuntu

Enable Passwordless login (sudo su)

If you log in using a user with sudo privileges, you may want to just run the sudo su command to switch to the root user or be able to execute sudo commands without being required to input the password. See how to ensure this happens:

Run the following command to edit configuration settings:

sudo visudo

Identify the block that defines the actions of users in the wheel/sudo group. It looks as below:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

Update the block to the following

## Allows people in group wheel to run all commands
#%wheel  ALL=(ALL)       ALL

## Same thing without a password
%wheel        ALL=(ALL)       NOPASSWD: ALL

Save the above settings. The changes should take effect immediately. However, you can do the following to reload and ensure the changes take effect.

sudo -k    # Clear Sudo Cache
OR
logout, login again and test.

To test, login, and test sudo login: eg:

## Switching to Root User in Linux

- `sudo su`: Switches to root user in the current user's home directory.
- `sudo su -`: Switches to root user in root's home directory with root's environment.
- `sudo -i`: Switches to root user in root's home directory, emulating an interactive login.

Testing the configurations

The final step is to test the configurations. This ensures that the setup works as expected before we log out. Open a new tab on the terminal or a new session on your preferred ssh client. Try accessing the VPS using the root user. We expected to get an error that “login is not permitted”. Now try accessing the VPS using the newly created user. If this is a success, this means that the new user is properly set and the root user disabled.

Summary commands

> adduser newuser  #add new user
> passwd newuser   #change/set password for user

> su - newuser      #swich to new user
> sudo ls -la /root   #test if this sudo works

> exit   #switch back to root
> usermod -aG wheel newuser    #add new user to wheel group with sudo priveleges
> su - newuser    #switch to new user again
> sudo ls -la /root    #test if sudo works. This should now work!

##DISABLE ROOT LOGIN
> sudo nano /etc/ssh/sshd_config
Locate the line "PermitRootLogin yes" and replace with "PermitRootLogin no" and save.
> systemctl restart sshd   #restart sshd
Test in a different tab if all works as expected before login out from active session.



##How to disable password on sudo su

> sudo visudo

check out this section
## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

Update to

## Allows people in group wheel to run all commands
#%wheel  ALL=(ALL)       ALL

## Same thing without a password
%wheel        ALL=(ALL)       NOPASSWD: ALL

save changes
> sudo -k    # Clear Sudo Cache
OR logout, login again and test.

---

---

Web Hosting and email hosting Packages

---

For web development services, SEO services, Digital marketing strategies, website set up services, web hosting and domain registration; contact Dynamic Technologies.

---

---

Related content:

• A Practical Tutorial for Dockerizing Software Applications
• How to Configure a Docker App to a Domain Name
• Getting Started with Docker | Docker commands
• How To Run Scripts in Linux
• Deploy a Django Application on EC2 Instance with Nginx
• How to configure a domain to a docker container and install an SSL certificate on AWS