Server owners are very interested in even smaller things that can prevent security breaches.
One such thing is to disable root login on Vultr Cloud Compute.
At 1 onlyhost, we help server owners disable root login on their Vultr instances as part of our Managed Cloud Services.
But, how do you manage a server with root login disabled?
Today, we’ll discuss how our Dedicated Engineers disable root login on a Vultr instance and setup alternate ways to access the server.
Disable root login on Vultr – Why it’s needed?
Root user is the default user on all Linux systems. Moreover, this user has all the super privileges on the server and it controls everything.
So, guessing and cracking the root password is the primary target of hackers, spam bots, etc. to penetrate into an account. Therefore, it’s very important to harden SSH on a Vultr instance.
Our Security Engineers always carry out frequent server audits to identify any security vulnerabilities and fix them immediately.
Disable root login on Vultr – How to do it?
Now, let’s see how our Support Engineers disable root login on a Vultr instance and enable server access via alternate methods.
We disable root login on a Vultr instance by adding the following line in the SSH configuration file /etc/sshd/sshd_config.
PermitRootLogin yes
Most importantly, we restart the SSH service to bring the changes into effect. For example, we use the below command to restart SSH service on CentOS server.
service sshd restart
However, in some cases root access becomes necessary for the user. In such cases, our Support Experts restrict root access to the server by IP address. In other words, we get the customer’s IP address and restrict root access to that particular IP address.
For instance, we add the following line in the SSH configuration file to allow root access to the IP address xx.xx.xx.xx and restart the SSH service.
AllowUsers root@xx.xx.xx.xx
But, before disabling root login, our Support Engineers always make sure to setup alternate ways to enable server access, otherwise user will be permanently locked out of the server.
a) Setup sudo user
It’s always a best practice to add a user with sudo access instead of root access. For example, we create a new user test on an Ubuntu instance using the below command.
adduser test
After that, we’ll give super user privileges to this test user, so that it can function just like the root user. For example, we assign root privileges to the test user by adding it to the sudo group.
adduser test sudo
Alternatively, if we need multiple users with root privileges on the Vultr instance, our Support Experts modify the sudoers file and add the users here.
Once done, we login as sudo user using the below command and test the sudo permissions of the user.
su test
Now, the user can manage the server with root permissions.
b) Setup key based access
Alternatively, our Security Engineers setup key based SSH access on the Vultr instance which is another safer method to use.
Firstly, we create a new key pair with the ssh-keygen command. This consists of a public key and private key. Further, we create a .ssh folder and authorized_keys file in the user’s home directory. After that, we add the public key to the authorized_keys file.
Most importantly, we ensure that the permissions of .ssh folder authorized_keys file are proper. Once done, users can login using the private key that matches the public key.
[Do you need help in disabling root login on your Vultr VPS? Our Server Experts can help you here.]
Vultr disable root login – Common failure points
Disabling root login on a Vultr instance involves a series of steps. And, a single wrong step can lock you out from the server. Now, let’s see the common errors that users may come across.
1) Incorrect permissions of SSH key
This is one of the common errors that we see while disabling root login on a Vultr instance. Server owners setup key based server access, but forget to assign proper permissions for the SSH key.
The ideal permission of .ssh folder should be 700 and the file authorized_keys should be 600. So, if users don’t have proper permissions to read the ssh keys, it throws errors like this.
Permission denied (publickey)
Here, our Support Engineers check the permission and ownership of these files. If we notice any problems with permissions, we’ll immediately correct them.
[Need help in resolving this error on your Vultr VPS? Click here, and get one of our Server Experts to fix this error.]
2) Hostname error
Similarly, another instance we see is that users create a new sudo user. However, with the default Vultr hostname, it will throw the following error.
sudo: unable to resolve host vultrcloud
In such cases, our Dedicated Engineers change the hostname of the Vultr instance to a Fully Qualified Domain Name(FQDN). Depending on the operating system, we edit the files /etc/hosts/ and /etc/hostname to change the hostname.
Conclusion
In short, disabling root login on Vultr instance is an easy method to secure your server. Today, we’ve discussed how our Dedicated Engineers disable root login on a Vultr instance and fix the common errors.