Help Centre
Home Server & Cloud Infrastructure Cloud Server Important Security Information for Your Server

Disabling SSH root login

Valid for VPS+, VPS, Cloud Servers, Dedicated Servers, and Value Servers.

This article walks you through disabling the root login.

By default, the root account is created as the first account on every Linux system. The root account has the highest rights. With the root account, you have access to all commands and files, and have full read, write, and execute privileges. If this account is used improperly or inappropriately, this can have a significant impact on your server.

Caution

Before disabling the SSH root login, make sure that an alternative user with sudo rights exists, and that you can successfully connect with this user via SSH. Otherwise you will lose administrative access to your server!

To deactivate the SSH root login:

  • Create a backup of the configuration. To do this, enter the following command:

    cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

  • Open the sshd_config (SSH configuration) file with the vi text editor:

    vi /etc/ssh/sshd_config

    Note
    The vi editor has an insert mode and a command mode. You can call up insert mode with the [i] key. In this mode, the characters entered are immediately inserted into the text. To call up command mode, press [ESC]. If you use command mode, your keyboard entries are interpreted as a command.

  • Find the PermitRootLogin line and make sure that it looks like this (change “yes” or “prohibit-password” to no):

    PermitRootLogin no

  • Make sure that this directive does not occur more than once. Remove any duplicate entries.

  • To exit vi and save the file, enter the following command in command mode and then press Enter:

    :wq

  • On many systems, drop-in files in /etc/ssh/sshd_config.d/.conf can overwrite values. To check this, enter the following command:

    grep -nH "PermitRootLogin" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/.conf 2>/dev/null

  • Before restarting the service, check the configuration file for syntax errors. To do this, enter the following command:

    sshd -t

    If no information is displayed, this means that there is no syntax error.

  • To make the change effective, restart the SSH service. Select the appropriate command for your operating system:

    Ubuntu 22.04 and 24.04; Debian 11, 12, and 13

    systemctl restart ssh

    Rocky Linux 8, 9, and 10; AlmaLinux 8, 9, and 10

    systemctl restart sshd

  • To check whether the changes are effective, enter the following command:

    sshd -T | grep -i permitrootlogin

Restoring config in case of issues

To restore the backed up configuration, enter the following commands:

Ubuntu 22.04 and 24.04; Debian 11, 12, and 13

cp -a /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
sshd -t && systemctl reload ssh

Rocky Linux 8, 9, and 10; AlmaLinux 8, 9, and 10

cp -a /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
sshd -t && systemctl reload sshd

Content