| Method | Description | Effects | Does Not Affect | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Changing the root shell. |
Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.
|
|
| |||||||||||||||
| Disabling root access via any console device (tty). |
An empty /etc/securetty file prevents root login on any devices attached to the computer.
|
|
| |||||||||||||||
| Disabling root SSH logins. |
Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.
|
|
| |||||||||||||||
| Use PAM to limit root access to services. |
Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.[a]
|
|
| |||||||||||||||
[a] Refer to Section 4.4.2.4, “Disabling Root Using PAM” for details. | ||||||||||||||||||
/sbin/nologin in the /etc/passwd file. This prevents access to the root account through commands that require a shell, such as the su and the ssh commands.
sudo command, can still access the root account.