Disable root login

[audunms]

Hi,
I wonder if it is possible to disable root user (or block root from login to the web interface/SSH/any other place than the physical server)?

I found information on how to grant another user root/admin privilegies, but not how to disable root.

 

[e100]

Not sure if it can be disabled for the web interface or not.

Proxmox uses root SSH for things like live migration so if you disable root logins for SSH(which you can do by editing ssh configs) you will break Proxmox.

 

[Nemesiz]

Proxmox are using ssh keys. Just remove password from /ets/shadow file.

 

[GT1]

Just remove password from /ets/shadow file.

what kind of advice is that ?

if you remove the password, then there is no password needed to login as root. fantastic if you want to open your server to everyone.

if you remove the entire line you cannot login as root at all. fantastic if you face a problem that can only be resolved as root (example: update & reboot).

 

[Nemesiz]

what kind of advice is that ?

if you remove the password, then there is no password needed to login as root. fantastic if you want to open your server to everyone.

Look at /etc/ssh/sshd_config

PermitEmptyPasswords no

if you remove the entire line you cannot login as root at all. fantastic if you face a problem that can only be resolved as root (example: update & reboot).

You can use 'sudo su' or ssh key to log in with no root password as I do.

Good luck to learn

edit: empty password has hash too so the line like this 'root:*:15521:0:99999:7:::" makes impossible to log in anyway except for ssh keys and sudo command.

 

[GT1]

yes, if you replace it with a * then i agree. however you stated remove, which leads to a non passworded root account. thus anyone who is on a shell can get root easily. so before your advice is going to lock the OP out of his box or open it to everyone you should be specific

btw: sudo is not installed by default on proxmox, you should not assume it is

 

[audunms]

Thank you for your answers. to elaborate, I do have physical access to the server should it be needed for some operations. From your replies, I am somewhat unsure to implement them as I ofcourse do not want to lock myself out from the system..

The reason I asked my question is that I want to be able to login remotely (via internet). I also want to be less vulnerable to brute force attacks, and therefore I thought disabling root was one step on the way. However, maybe another solution could be to lock root account for x seconds after x failed login attempts. Is this possible?

Thanks.

 

[udo]

Thank you for your answers. to elaborate, I do have physical access to the server should it be needed for some operations. From your replies, I am somewhat unsure to implement them as I ofcourse do not want to lock myself out from the system..

The reason I asked my question is that I want to be able to login remotely (via internet). I also want to be less vulnerable to brute force attacks, and therefore I thought disabling root was one step on the way. However, maybe another solution could be to lock root account for x seconds after x failed login attempts. Is this possible?

Thanks.

Hi,
Fail2Ban is the right solution for you. Search in the forum about threads for that.

Udo

 

[Nemesiz]

denyhosts are good solution too

 

[audunms]

Hi,
thnkas. I had not heard of fail2ban, but I implemented the solution for 2.x linked to in the first forum post about it, and it works perfectly fine. Thanks!

P.S. I do not know what denyhosts does, but I guess it won't matter since fail2ban seems to work fine.

 

[rafafell]

Disabling root login (sshd_config) can cause some problem in some proxmox activity (backup, migrate, snapshot ...)?

 

[Nemesiz]

Don`t know but there are magical option : PermitRootLogin without-password