SSH root login security is one of the most critical aspects of protecting your server from unauthorized access. In this guide, we’ll walk you through two essential security measures: disabling root login and using SSH keys for authentication.
Why SSH Security Matters
Secure Shell (SSH) is the primary method for accessing and administering Linux servers remotely. Weak SSH configurations can compromise SSH root login security, exposing your system to brute-force attacks, credential stuffing, and unauthorized logins — especially when root access is allowed or password-based logins are enabled.
Step 1: Disable Root Login
The root user has full control over the system. Allowing root to log in over SSH can be dangerous — especially if password authentication is enabled.
How to Disable Root Login
1. Connect to your server using a non-root user (or root for now if it’s your first time).
2. Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config3. Find the line:
PermitRootLogin yesAnd change it to:
PermitRootLogin noIf the line doesn’t exist, add it at the end of the file.
4. Save and exit (Ctrl+X, then Y and Enter).
5. Restart the SSH service:
sudo systemctl restart sshdImportant: Ensure you’ve created a non-root user with SSH access before disabling root login.
Secure Your Server – Disable Root & Use SSH Keys
Protect SSH Access – Follow Best Practices
Explore SSH Best PracticesStep 2: Use SSH Key Authentication
SSH key pairs offer strong, password-less authentication that is extremely difficult to brute-force.
How to Set Up SSH Keys
On Your Local Machine (Client)
1. Generate a key pair:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"- Press Enter to accept the default path (~/.ssh/id_rsa).
- Set a passphrase for extra security (optional but recommended).
2. Upload the public key to the server:
ssh-copy-id username@your-server-ipOr manually:
cat ~/.ssh/id_rsa.pub | ssh username@your-server-ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"3. Test your login:
ssh username@your-server-ipStep 3: Disable Password Authentication (Optional but Recommended)
Once you’ve confirmed key-based login works, disable password login to strengthen SSH root login security and eliminate password-based attacks.
1 Edit the SSH config:
sudo nano /etc/ssh/sshd_config2. Change or add:
PasswordAuthentication no3. Restart SSH:
sudo systemctl restart sshdYour server will now only accept SSH connections using keys.
Additional Tips
- Use Fail2Ban to block repeated failed login attempts.
- Change the default SSH port (22) to a custom port (e.g., 2222) to reduce bot scans.
- Ensure your
.sshfolder and files have the correct permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysRound-the-Clock Support
Our certified experts are always available to resolve issues, ensure compliance, and maintain performance. For more information, contact our experts!
Summary
| Security Measure | Recommended Action |
|---|---|
| Disable Root Login | Yes |
| Use SSH Key Authentication | Yes |
| Disable Password Login | Strongly Recommended |
By following these SSH best practices, you significantly reduce the risk of unauthorized access to your server infrastructure.
Need assistance implementing this on your servers? Contact our support team.
