Secure SSH root access

Any web hosting provider would like to secure SSH root access on their dedicated web servers, to achieve this, my little contribution to you all. I hope this helps you all.

Add a user on the dedicated server

To begin, SSH into your server as root. Once you’re logged in, you should see a shell prompt similar to:


The command to add a user is as below. I will be using the username as “support”.

root@server[~]# /usr/sbin/adduser support

Once the user is added you can verify by using the below command:

root@server[~]# cat /etc/passwd | grep support

Set a password for the user (support)

Use the below command to set password for the user “support”:

root@server[~]# passwd support

Note: Make sure you pick a secure password which will consist between 6-8 characters, and will contain letters, numbers, and punctuation marks.

To make sure this user account that you have created works, open another SSH window and proceed to log in with the user “support”. Once you’ve successfully verified that this account works, you may exit the session.

Verifying su’s command permissions, and ownership

Verifying “su” command is owned by root and the wheel group is suggested. At the same time check the permissions are set correctly.
This can be checked by the below command:

root@server [~]# ls -la /bin/su

The output should be:

-rwsr-x---  1 root wheel 61168 Nov 18 07:17 /bin/su*
If the output is as above you can skip this below command:

Su user ownership, permission can be set by the below command:
root@server [~]# chmod 4750 /bin/su
root@server [~]# chown root:wheel /bin/su

Now, add the user to the wheel group

We will have to add our new user “support” to the wheel group in order to allow it to gain root access, with *NO* root privileges. That means that this user will be able to log into the server, but won’t be able to perform any root tasks until the user switches to the root user.

In SSH you have to type the below command:

root@server[~]# /usr/sbin/usermod –G wheel support

Before proceeding, re-login to your server using the “support” account. At the SSH prompt, type “su” followed by the Enter key, and then enter in the root password. If you were successful, you should be at a root prompt:

root@server [~]#

To confirm that you are root, at the SSH prompt type the command whoami , which should display your root account.

Editing the sshd_config file, and restarting SSH daemon

Now we have to disable direct root access to your dedicated web server. Use the below command:

nano /etc/ssh/sshd_config

Scroll down until you see the following come across the screen:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

To disable SSH root login, remove the hash symbol (#) before PermitRootLogin , and change the “yes” next to PermitRootLogin to “no” so now it looks like:

#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes

Note: If you see the value of LoginGraceTime different from my value of 120, you do not need to worry as it does not affect the functionality.

Restarting SSH daemon

Finally, to make the changes take effect, you have to restart SSH by running the following command (as root):

root@server [~]# service sshd restart

Best of luck!

Outsource support

This article is released by SupportFacility.Com — the leaders in providing outsourced technical support, live chat support & help desk support for web hosts. Interested ? Opt for a trial now.

2 thoughts on “Secure SSH root access

  1. Mypeaccek


    As a fresh user i just wanted to say hello to everyone else who uses this board :>

Leave a Reply

Your email address will not be published. Required fields are marked *