14

I always read I should disable root login for SSH and login with a user which has sudo. But where is the difference between:

ssh root@vps

and

ssh myuser@vps
sudo -i

I don't have physical access to my server and need root permissions per remote access in some way. Is the only advantage here, that the username is unknown?

Security Tip: Disable Root SSH Login on Linux

One of the biggest security holes you could open on your server is to allow directly logging in as root through ssh, because any cracker can attempt to brute force your root password and potentially get access to your system if they can figure out your password.

It’s much better to have a separate account that you regularly use and simply sudo to root when necessary.

Improve this question
4
  • 3
    Just disable passwords completely and use public key auth. Or at least use PermitRootLogin without-password. Also, take a look at this.
    – Daniel B
    Commented Nov 27, 2015 at 16:50
  • 1
    Because there isn't a good reason to allow root login?
    – Braiam
    Commented Nov 28, 2015 at 4:21
  • Because "root" is default admin login, so its easy target for SSH scanner. Also better install Fail2ban and login as normal user and the run "su" command
    – user956584
    Commented Dec 21, 2015 at 17:25
  • ( SSH pub/private keys) vs (SSH login with password), they are different!!! why do people keep using confusing terms for such different things
    – MartianMartian
    Commented May 26, 2022 at 19:09

2 Answers 2

Reset to default
3

You answered your own question. By disabling remote access to root in *Nix or administrator access in Windows, you make it that much harder for someone to gain privileged access to your computer. If someone steals or brute-forces your non-privileged account password, then they only have limited access.

Improve this answer
7
  • :P Quick way of getting extra points! Well played that lad. Good answer though :)
    – Kinnectus
    Commented Nov 27, 2015 at 17:17
  • 10
    " If someone steals or brute-forces your non-privileged account password, then they only have limited access." - Wrong if they can just run sudo -i and retype the password!
    – Stack Exchange Supports Israel
    Commented Nov 27, 2015 at 21:14
  • 1
    @user20574 you are making the assumption that the user has root privs.
    – Keltari
    Commented Nov 27, 2015 at 21:24
  • 8
    @Keltan You read the question right? This is for a situation where some user needs to be able to use root privileges.
    – Stack Exchange Supports Israel
    Commented Nov 27, 2015 at 21:27
  • 1
    The method used to gain access doesn't necessarily give them the user's password.
    – Tanath
    Commented Dec 4, 2015 at 20:48
3

root is a dangerous account since it can literally do anything it wants on the system. You want to protect it from unauthorized access as much as possible.

By disallowing root logins via SSH, you require 2 passwords for someone to gain root, instead of 1. If someone is trying to guess or crack your passwords, this doubles their workload.

@Daniel B. in the comments is right, using keys are better than passwords, if they are passphrase-protected.

The above still applies if you only allow passphrase-protected keys instead of passwords - and still disallow root from logging in even with a key. So even if you use keys instead of passwords there is a benefit from disabling direct root login via SSH.

Improve this answer
4
  • You write "if you disable SSH login with passphrase-protected keys instead of passwords " <-- What does that mean? If you disable A instead of B. Do you mean if you Enable A(passphrase-protected keys) and disable B(passwords)? You could've written that more clearly.
    – barlop
    Commented Nov 27, 2015 at 18:31
  • Agreed, I edited. :)
    – LawrenceC
    Commented Nov 27, 2015 at 18:47
  • 1
    Two passwords to gain root is with su. For sudo (like in the question's example and quoted advice) this is the same password, so there's only one (that you might need to type more than once).
    – Dan Getz
    Commented Nov 28, 2015 at 2:31
  • 2
    @DanGetz Depends. You can also require the target user’s (or root’s) password with sudo. // Also, I disagree about passwords on keys being required. Keys prevent brute force attacks (targeting sshd) either way.
    – Daniel B
    Commented Nov 30, 2015 at 8:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .