Disable Root Account
You hardly (if ever) need the root password if you log in with a normal account and use sudo to alleviate your permissions. Hence, it is a good measure to disable someone from logging in as root.
A few solutions exist to lock down the root account.
Disable Remote Access
In /etc/ssh/sshd_config set the PermitRootLogin setting to no:
- Even if the password is disabled, users can still gain access to the account with other authentication methods, like public key. To disable all account logins, set the expiration date.
To lock the root password:
sudo passwd -l root # on Linux
sudo usermod -L root
sudo pw lock root # on FreeBSD
To unlock the root the password:
sudo passwd -u root # on Linux
sudo pw unlock root # on FreeBSD
You can check if an account is locked by examing the /etc/shadow password file. If it is locked, the password starts with an exclamation mark:
# grep root /etc/shadow # on Linux root:!$1$DU4xW/VH$EnmLXpf3vNW3zfvcCNZRb0:14358:0:99999:7::0:
# grep root /etc/master.passwd # on FreeBSD root:*LOCKED*$1$DU4xW/VH$EnmLXpf3vNW3zfvcCNZRb0:0:0::0:0:Charlie &:/root:/bin/csh
Set account expiration date
- Setting the expiration date to 0 prevent cron jobs that run as root to run.
Disable account login by setting the expiration date to 0:
chage -E 0 root
To enable the root account, set it back to -1:
chage -E -1 root
To display the account expiration date, use the -l option:
chage -l root
I'm certain that a more advanced method exists to lock down the root account by using the Pluggable Authentication Modules (PAM), but I'm unfortunately not a PAM-expert.
Rename User (Not recommended)
It is possible to remove the "root" user, and create a super user with a different name (e.g. a user 'radicle' with uid=0 and gid=0).
- I do not consider this secure as it mostly security-through-obscurity
- It is inconvenient: some scripts have a habit of sending errors to root (so you need either a mail alias or change these scripts) and some cron jobs and startup scripts are specified to run as user 'root' (you need to adjust these).
Disable Shell login (Not recommended)
Another solution is to set the login shell of root to /bin/false instead of /bin/sh or /bin/bash.
- This is not secure. An attacker can still connect via ssh to initiate a tunnel (with ssh -L) and use it as a means to bypass your firewall.
- It is inconvenient: This method prevents single user login, although it can easily be overridden by setting the shell with a boot parameter. E.g. kernel /boot/vmlinuz-2.6 root=/dev/sda1 rw single shell=/bin/bash or even kernel /boot/vmlinuz-2.6 root=/dev/sda1 rw init=/bin/bash.
Debian and Ubuntu contains a bug were the
adduser?) tools print an error when creating a new user while the root password is locked or expired. The typical error message looks like this:
# apt-get install amavisd-new ... Creating/updating amavis user account... Your account has expired; please contact your system administrator chfn: PAM authentication failed adduser: `/usr/bin/chfn -f AMaViS system user amavis' returned error code 1. Exiting.
In reality, the new account is created just fine. However, if the account was created as part of a installation procedure, the installation may have been aborted. I recommend to temporary remove the password lock and try again.
In this case:
apt-get remove --purge amavisd-new chage -E -1 root apt-get install amavisd-new chage -E 0 root