Disable SSH Root Login
An XCCDF Rule
Description
The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config
:
PermitRootLogin no
Rationale
Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.
- ID
- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
Remediation - Ansible
- name: Disable SSH Root Login
block:
- name: Check for duplicate values
lineinfile:
path: /etc/ssh/sshd_config