What to do if you want to disable direct root logins

Introduction

Disabling direct root logins prevents someone who knows that every Linux server has a "root" user but doesn't know any usernames on your system from guessing the password and logging in as root. There is a catch - if you disable root login immediately, you will not be able to administer your server from SSH as root.

This How-To document tells you what you'll need to do to ensure that you can access SSH and promote your wheel user to the root user.

Procedure

1. Create a user to use as the "wheel" user

The easiest way to create a user is to create an additional cPanel user. If you choose this method, it will count towards your total cPanel users for licensing purposes, so you cannot use this method on a cPanel Solo server. You can also create a system (Linux) user with the adduser command. 

2. Put the user in the "wheel" group

Once you have a username, you can go to WHM / Manage wheel group users and move the user you've just created into the wheel group. This step allows the user access to the sudo and su commands.

3. Test Access

It is crucial that you test access at this point in the process. Ensure that the user you created can log in via ssh and use the command "sudo su" (and their password) or just "su" (and the root password) to gain root privileges.  You can tell that the user has root privileges if the command "whoami" returns "root".  If neither "sudo su" nor "su" works, do not proceed because you will lock yourself (and us) out. If you cannot continue because you cannot gain root access with the wheel user, please see the help article for "How to create sudo users".

4. Edit your ssh daemon configuration (sshd_config)

Only after you've ensured that you can log into the server and gain root access with the wheel user you created, you'll want to prevent root from logging-in directly. You'll do that by making a backup of, and then editing the file at /etc/ssh/sshd_config. The only value you wish to change at this time is PermitRootLogin, which you want to set to "no".  It is suggested to make the other changes proposed in that documentation, but it's recommended to make the changes one at a time. That way, if something goes wrong, you know which change has caused the problem.

5. Restart the ssh daemon and log in again

Once you've edited /etc/ssh/sshd_config, you'll need to restart SSH, which will disconnect your current session. This is why it is important that you made sure you could log in previously. Test one more time, and then you're good to proceed with any other changes you wish to make to harden your SSH configuration.