Disabling root SSH logins

My web server was set up just 6 days ago. Within a couple of days, it was already attracting a number of "probes". Casually, I went through the /var/log/messages file. It was amazing... 8O

Everyday, more and more people were attempting to login as root!

Dec  6 09:25:24 vis sshd(pam_unix)[14882]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.119.93.3  user=root
...
Dec  7 06:09:25 vis sshd(pam_unix)[20197]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.direct-36-24.bgcell.net  user=root
Dec  7 06:09:25 vis sshd(pam_unix)[20195]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.direct-36-24.bgcell.net  user=root
Dec  7 06:09:25 vis sshd(pam_unix)[20196]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.direct-36-24.bgcell.net  user=root
...
Dec  8 09:08:02 vis sshd(pam_unix)[7564]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vaibhavgems.co.in  user=root
Dec  8 09:08:02 vis sshd(pam_unix)[7561]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vaibhavgems.co.in  user=root
Dec  8 09:08:02 vis sshd(pam_unix)[7567]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vaibhavgems.co.in  user=root
Dec  8 09:08:02 vis sshd(pam_unix)[7560]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vaibhavgems.co.in  user=root
Dec  8 09:08:02 vis sshd(pam_unix)[7566]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vaibhavgems.co.in  user=root

There are a lot more to show than just these lines but I don't want to bore you now.

To disable direct root logins like this, I made the following changes...

Find the sshd_config file

Login as root :P

My sshd_config file is located at /etc/ssh/sshd_config and it is probably the most common place to find it. If not, you can search for it :

find / -name "sshd_config"

Edit the sshd_config file

What we want to do is edit this file. We need to uncomment and edit just one line inside this file, at least.

To edit, I used vim, a text editor I am quite comfortable with (on Linux). Back to the steps...

Open the file for editing:

vim /etc/ssh/sshd_config

You should be viewing the contents of this file now. We're looking for #PermitRootLogin yes. If you don't know how to move around this file, or to look for this line, just use the arrow keys.

To modify the line, you just press the i key on your keyboard and you should be in vim's "INSERT" mode.

Just remove the hash sign (to uncomment the line, or enable it) and change the value to no. It should look like this after the modifications:

...
PermitRootLogin no
...

Press the ESC key to exit vim's "INSERT" mode, then type :wq and press ENTER, to save the changes and to exit vim.

Restart sshd

To make these changes active, you need to restart sshd...

/sbin/service sshd restart

Now, everytime you login to your remote (web) server, you need to login as a regular user and once logged in, you just "substitute user" to root i.e. su -.