How to Disable Root Login Over SSH in Debian 12 Bookworm

Securing a Linux server is a crucial step in ensuring the stability and protection of your system from unauthorized access and potential cyber threats. One of the most effective ways to enhance security is to disable root login over SSH (Secure Shell). By preventing direct root access via SSH, you reduce the risk of brute-force attacks and unauthorized access attempts.

In this comprehensive guide, we will walk you through the steps to disable root login over SSH on a Debian 12 Bookworm system. We will also discuss why disabling root login is important and how to implement alternative secure authentication methods.

Why Disable Root Login Over SSH?

By default, Debian allows root login over SSH, which can be a security risk. Here are a few reasons why disabling root login is recommended:

1. Prevents Brute-Force Attacks: Hackers often target root accounts using automated scripts to guess passwords.
2. Minimizes Security Risks: If an attacker gains root access, they have complete control over the system.
3. Encourages the Use of Least Privilege: Using a non-root user with sudo access ensures better accountability and security.
4. Improves Auditing and Logging: Actions performed by users with sudo access can be better tracked.

Prerequisites

Before proceeding, ensure that you have:

• A Debian 12 Bookworm system
• A non-root user with sudo privileges
• SSH access to the server
• A text editor like nano or vim

Step 1: Create a New User (If Not Already Created)

If you haven’t already set up a non-root user, you should do so before disabling root login. Run the following command to add a new user (replace yourusername with your desired username):

sudo adduser yourusername

Follow the prompts to set up a password and user details. Next, add the user to the sudo group to grant administrative privileges:

sudo usermod -aG sudo yourusername

Now, switch to the new user account:

su - yourusername

Step 2: Enable SSH Access for the New User

Ensure that your new user has SSH access by testing the login:

ssh yourusername@your_server_ip

If you can log in successfully, you can proceed to disable root login.

Step 3: Modify SSH Configuration to Disable Root Login

Now, we will modify the SSH configuration file to prevent root login. Open the SSH configuration file with a text editor:

sudo nano /etc/ssh/sshd_config

Find the following line:

PermitRootLogin yes

Change it to:

PermitRootLogin no

Additionally, ensure that the following lines are set correctly:

PasswordAuthentication yes
AllowUsers yourusername

• PermitRootLogin no – Disables root login over SSH.
• PasswordAuthentication yes – Allows password-based authentication for non-root users.
• AllowUsers yourusername – Restricts SSH access to only the specified user.

Save the file by pressing CTRL + X, then Y, and finally Enter to confirm.

Step 4: Restart the SSH Service

To apply the changes, restart the SSH service using the following command:

sudo systemctl restart ssh

To verify that SSH is running without errors, check its status:

sudo systemctl status ssh

You should see output indicating that SSH is active and running.

Step 5: Test the Configuration

Before logging out, ensure that you can still connect via SSH using the new user:

ssh yourusername@your_server_ip

If the connection is successful, try logging in as root to confirm that access is denied:

ssh root@your_server_ip

You should see a message indicating that permission is denied.

Additional Security Measures

To further enhance security, consider the following additional steps:

1. Disable Password Authentication and Use SSH Keys

Instead of password authentication, SSH keys offer a more secure alternative. To disable password authentication, edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Set the following directive:

PasswordAuthentication no

Save and restart SSH:

sudo systemctl restart ssh

2. Change the Default SSH Port

By default, SSH runs on port 22, which is a common target for attackers. Changing it to a non-standard port adds an extra layer of security. Edit the SSH configuration file and modify the Port directive:

Port 2222

Restart SSH and adjust your firewall rules accordingly:

sudo ufw allow 2222/tcp

3. Enable Fail2Ban

Fail2Ban is a tool that helps prevent brute-force attacks by banning IP addresses after multiple failed login attempts. Install and enable it with:

sudo apt install fail2ban -y
sudo systemctl enable fail2ban --now

4. Use Two-Factor Authentication (2FA)

For an extra layer of security, consider implementing two-factor authentication using Google Authenticator:

sudo apt install libpam-google-authenticator -y

Follow the setup prompts and enable PAM integration for SSH authentication.

Conclusion

Disabling root login over SSH in Debian 12 Bookworm is an essential security practice that helps protect your system from unauthorized access and brute-force attacks. By following the steps outlined in this guide, you can effectively secure your server while still maintaining administrative control through a non-root user with sudo privileges.

Additionally, implementing SSH key authentication, changing the default SSH port, and using tools like Fail2Ban can further enhance the security of your Debian system.

Taking these precautions ensures that your Debian server remains secure and resilient against potential cyber threats. Always test your changes before logging out to prevent accidental lockout from your system.

If you have any questions or run into issues, feel free to leave a comment below!