How can I prevent root logins to my Linode over Lish?
I've disabled SSH logins to my Linode as
root using this documentation:
However, my Linode's Lish console still accepts logins as
root. How can I prevent this?
This is a very astute question to ask! Taking proactive security measures to reduce your Linode's attack surface is a great way to help avoid the unwelcome surprise that it was accessed without your authorization.
Ensure that SSH and
sudo is properly set up
Before proceeding with any of these methods, it is crucial to establish that you are able to access your Linode over SSH as a limited user, then become your Linode's
root user on your
Linode using the
sudo application. After implementing these methods, this will be your only way to perform administrative functions requiring superuser access on your Linode.
From the way your question is worded, I imagine that you have already performed your initial SSH connection into your Linode account as described in our Getting Starting guide:
After completing this task, it seems as though you had then created a limited user account on your Linode as described in this section of our Securing Your Server guide:
Once you were able to perform this task, I imagine that you were then able to create a SSH keypair for this limited user and disable password- and
root-based SSH logins as indicated in the Harden SSH Access section of that guide:
If you have not already completed these steps, I would do so now, since they will be necessary to proceed with the rest of this answer's recommendations. In case you need to install
sudo onto your Linode, you may reference this section of our Linux Users and Groups guide for further instructions on how to do so:
If everything here is set up correctly, you should get a "permission denied" error when attempting to SSH into your Linode as
0.0.0.0 with the actual IP address of your Linode):
$ ssh [email protected] [email protected]: Permission denied (publickey).
However, you should not encounter any issues SSHing into your Linode as your limited user (again, replace
0.0.0.0 with the actual IP address of your Linode and
limited_user as the actual name of your limited user account -- and the prompt you receive when logging into your Linode will almost certainly differ from this example):
ssh [email protected] Welcome to your Linode! [email protected]:~$
From here, you may then determine whether you are able to become the
root user on your Linode by using the
sudo command. As an example, running the
sudo whoami command should give you the output
[email protected]:~$ sudo whoami root [email protected]:~$
If all of these steps appear to be in working order, you should not encounter any troubles implementing (or recovering from!) the rest of this answer's recommendations.
root account's password
It is quite easy to prevent logins as
root by running the following command:
sudo passwd -l root
This command sets
root's password information to a value that cannot possibly match any given password, effectively blocking direct logins as
root via Lish even via brute force attempts.
In technical terms, this will add the
! character to the beginning of
root's password hash in your Linode's
/etc/shadow file. This initial
! character is what prevents any password from matching a login attempt into your Linode as
While this safeguard will likely thwart the vast majority of common login attempts as
root, there are a number of other options that may provide some additional protection listed below.
Set the expiration date of
It is possible to disable the root account using the following command:
sudo usermod --expiredate 1 root
This command will set the expiration date for the
root account to January 2, 1970. As such, it should act as another safeguard against unauthorized
root access into your Linode.
If this method seems strange to you, don't fret -- many Linux distributions list this command in the manual page for the
passwd command as the preferred means to disable an account. If you have any doubts about this method, please feel free to check your Linode's own manual page on the subject by running
man passwd on your Linode.
This should not disable access into your
root account through
sudo. If you are at all concerned about this, please don't hesitate to establish another SSH connection into your Linode and attempt to become
root before running the above command. It is always possible to back out this command by re-running it with an empty expiration date, like so:
sudo usermod --expiredate root
/etc/securetty file lists the terminal devices which permit root logins. For the sake of Lish, this file will include the
ttyS0 device, which you may confirm by logging into your Linode via Lish and running the
$ tty /dev/ttyS0
The devices in
/etc/securetty are listed without the initial
/dev/ component, so you will need to edit this file to remove the line reading
ttyS0. You may alternately add a
# character to the beginning of this line, which will turn it into a comment. This has the same effect as deleting the line, but will retain the line's comment for future reference. For even more security against
root login attempts over any of these terminal devices, you may delete or comment out any or all of the other lines in this file.
Regaining access to your Linode if you lock yourself out
Like any security measure, these procedures may cause you to lock yourself out of your Linode, especially if you find yourself unable to access your Linode over SSH.
The first step for recovering your access would be to reset the root password on your Linode:
This will allow you to use Lish to log back into your Linode directly as
root and troubleshoot your usual access methods. You may review these guides to assist with these troubleshooting endeavors:
Resetting the root password will undo the
root account password lock method, so once you successfully troubleshoot your usual access methods, you will need to run
sudo passwd -l root on your Linode again to reimplement this security measure.
However, resetting the root password will still block access into your Linode via Lish if you have removed or commented out the
ttyS0 line in your
/etc/securetty file. If this is the case, and you cannot SSH into your Linode as a
sudo user to restore this access, you should be able to regain access into your Linode by updating the
/etc/securetty file using Rescue Mode, potentially in addition to a
root password reset.
Naturally, it is always a good idea to have working backups ready and available to recover from any number of issues on your Linode. Linode also offers a Backup Service, which you may use by themselves or in addition to other backup measures.
As indicated in this answer, there are a wide variety of methods that you can take to prevent
root logins into your Linode while still retaining your administrative powers over it. As always, please feel free to post further advice or ask any questions you may have about these methods!
As astute as this question is and as complete as the answer is, if you are working on ssh(1) or your firewall and you screw up and lock yourself out, Lish is your only hope to get into your Linode to fix it. Since configuring both ssh(1) and the firewall requires you to be the super-user, blocking super-user logins from Lish may sound like a good idea but (IMHO) it really isn't.
Choose wisely, Grasshopper!