Skip to main content

When You Should Disable Root Login…Or Not

Posted on April 20, 2012 by Anthony James Founder/CEOAnthony James Founder/CEO

When should you disable root login? Disabling root login is a super easy trick to increase security on your machine. Let’s take a look at why and when you should disable the root login and also when it’s OK to keep root login enabled. Root or administrator users are the default users on almost all systems. By their name, we know that they have all privileges on the machine and control everything. In previous articles I’ve suggested several times that disabling root login and created root privilege users is a good security practice but in realty you don’t always have to do this. Let’s first look at when it is best practice to disable root login.

Can your server be accessed by anyone on the internet?
What does this mean? Well, for example, if you can be on any computer at any location on the internet and SSH to your machine, then your server can be accessed by anyone on the internet. Since the root user has all the powers AND we know that almost every Linux machine comes with the root user enabled, then guessing or trying to crack the root users password is the basic place to start if you’re trying to penetrate a system.
Bots can automatically scan for the open SSH port and start trying to access your system using the root user and random passwords trying to break in. By creating a user with root privileges and disabling the root login, you remove this from the equation. Bots (or people) generally aren’t out there trying to guess usernames AND passwords, so this increases the security of your system.
When is it OK to leave root login enabled?
As several Pinehead members in the Pinehead community have pointed out, it is OK at times to leave the root user enabled. Again, I will say it is BEST practice to change the root username and/or disable the root password. However, if your server is offline and is only located on a local network you don’t have to worry about hackers or bots trying to penetrate your system. By the very nature of a local network they don’t even have access to the system to even try accessing it as root.
If you can only access your servers from a VPN
Again, this is the same as your servers being only accessible on the local network. VPNs create another layer of protection. In order to access the VPN you’ll need permissions, from there you can login to your server.
All login is disabled except from console
Let’s say your server is behind a firewall that only allows access to port 80. Then port 22 (SSH) isn’t even available to the whole internet for someone or something trying to penetrate your system. You could also just remove the services that allow remote login. If you only allow access to the server via console login (being physically in front of the server) then there is no reason to disable root login.
Last but not least…
You don’t mind taking the chances of a break-in
If you just don’t care that someone or something “could” ever break in or you think the odds are against it, then leave it open. The odds are rather low that this will happen to you, but that doesn’t mean it won’t or that you shouldn’t take some steps to protect your system. This includes disabling root login, only allowing login at the console, putting your server behind a VPN, or making your server available only on the local network.
At the end of the day it’s easier to just disable root login via ssh as suggested in a previous tut: Disable Root Login via SSH or to allow access via ssh keys.
Have a suggestion to this? Or other suggestions on protecting your system? Post them in the comments.


Image of maxx
8 years ago

Simple solution: only allow root to login with SSH keys.

Image of Kalin
8 years ago

If you enable ssh root login good practice is periodical change ssh port different from 22.

Image of Marc Perkel
Marc Perkel
8 years ago

I leave root login enabled. I however disable password logins so you have to have a key pair to authenticate. Bots can bang on the SSH port as long as they want but there is no password and they won’t get in that way.

Image of Anthony James Founder/CEO
Anthony James Founder/CEO
8 years ago

Thanks for the tip, I find that is my preferred solution as well. Also wanted to explain why root login “could” potentially be an issue. Thanks for pointing out other ways of solving the issue.

Image of Robert
8 years ago

Why not also use something like fail2ban or denyhosts to block and record IP’s from bots as well as using only key authentication for root and users who possess root privileges?

Image of best vpn for privacy
best vpn for privacy
3 years ago

Thanks for writing this awesome article.
I search since a long time an answer to this subject and
I have finally found it on your site. I saved your blog in my rss feed and shared it on my Twitter.
I will come back for sure to check your future articles!

Image of Sharek
2 years ago

Great Info!

Image of Ashley
2 years ago

good job! its help me too much.

Leave a Reply

Your email address will not be published. Required fields are marked *