Need help?

Our experts have had an average response time of 13.14 minutes in February 2024 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Disable root login in DigitalOcean servers – Security tip for Droplet owners

by | Dec 22, 2018

Managing a server can be really hard!

As server attacks increase day by day, Droplet owners use different methods to secure their server.

And, one such thing is to disable root login in their Droplets.

At Bobcares, we help DigitalOcean Droplet owners disable root login as part of our Managed Cloud Services.

Wait, if I disable root user, how do I manage my server?

The answer is pretty simple. Today, we’ll see how our Support Engineers disable root login and set up alternate ways to access the server.

 

Disable root login in DigitalOcean server – The reason behind that

Root user is the default user in DigitalOcean Droplets with all privileges.

So, the root user is the primary target for hackers to gain access to the server with brute force password guesses.

In other words malicious bots scan open SSH ports, and start trying to access the system with root user and random passwords.

Therefore, disabling root login in your Droplet is critical for security.

At Bobcares, our Server Administrators do frequent security audits to identify security vulnerabilities in the server and fix them immediately.

 

Disable root login in DigitalOcean server – 2 easy steps

Now, we know the importance of disabling root login in DigitalOcean Droplets.

Next, we’ll discuss how our Support Engineers disable root login and enable server access via alternate methods.

1) Create a sudo user

From the security point of view, disabling root login and creating a sudo user is the best practice.

Because, it controls system access, potential system exploits, and compromises.

For instance, our Support Engineers create a new user in the Droplet using the below command.

adduser test

 

After that, we assign new user with super user or root user privileges, so that this user can function like the root user.

For example, in Ubuntu servers, we run the below command to add the new user test to the sudo group.

usermod -aG sudo test

 

Now, the test user can run commands with root privileges.

Once we have setup the sudo user, next step is to disable root login.

Our Hosting Engineers disable root login in the Droplet by adding the following line to the SSH config /etc/ssh/sshd_confi file and restarting ssh service.

PermitRootLogin no

 

As a result, the SSH server automatically rejects the SSH login for root account.

 

2) Setup key based access

Alternatively, our Support Engineers help Droplet owners setup key based access, so that the server can only be accessed using SSH keys.

Firstly, we create a new key pair consisting of a public key and a private key.

For instance, we use the below command to generate a new key pair.

ssh-keygen

 

After that, we copy this public key to the location ~/.ssh/authorized_keys in the user’s home directory

Now, users can use the private key that matches with the public key to login to the Droplet.

Finally, we disable password authentication in the Droplet.

As a result, server owners can only access the Droplet via public key authentication.

For example, to disable password authentication in a Droplet, we add the following line in SSH config /etc/ssh/sshd_confi file and restart ssh service.

PasswordAuthentication no

 

Likewise, in some servers, we add the following code in SSH config /etc/ssh/sshd_config file, which allows access to the Droplet via key based access.

PermitRootLogin without-password

 

Most importantly, in both these cases, we restart the ssh service to reflect the changes.

 

Disable root login in DigitalOcean server – Common failure points

Disabling root login is a technical task.

Based on our experience managing servers, we’ve noticed the following scenarios, where things will not work as expected.

1) Wrong file edits

One of the common errors we see is that, Droplet owners disable root login in wrong configuration file.

In DigitalOcean Droplets, you can see 2 SSH config files “sshd_config” and “ssh_config“.

Here, sshd_config is the ssh daemon configuration file and ssh_config is the ssh client configuration file.

We’ve seen instances where Droplet owners mistakenly disable root login in the ssh_config file.

In such cases, our Hosting Engineers disable root login by adding the comment “PermitRootLogin no” in sshd_config file and restart the ssh service.

 

2) Failed to restart SSH service

Droplet owners contact us complaining that they disable root login in their Droplet, but still they can login as root.

When, our Support Engineers check the SSH configuration file, root login has already been disabled.

But, the problem here was that they failed to restart the SSH service after making changes in the SSH config file.

Restarting the SSH service will re-read the SSH configuration file to incorporate the changes.

So, here we restart the SSH service and confirm that root login is disabled.

 

3) Completely messed up server

We’ve seen an instance where Droplet owner disable root login without creating a sudo user or key based access.

The Droplet was not accessible from our end too.

In this case, our Support Engineers boot the server in rescue mode and change the sshd_config file to allow root login.

If that doesn’t work, the next option is to restore the Droplet from the snapshot before the changes have been made.

Conclusion

In short, Droplet owners disable root login as a method to secure the server. Today, we’ve seen how our Cloud Experts disable root login in DigitalOcean Droplet  and set up alternate ways to access the server.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

SEE SERVER ADMIN PLANS

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Categories

Tags

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF