Many peoples start their own Linux server because it is cheap and very fun to play. But they do not know that bad hacker boys scan the internet every second to find weak servers. If you do not change the default settings, your server will be hacked very fast and you will cry. Today I want to show you three very easy things that you can do in less than one minute but it will protect your server for many years. We will block normal users from using the su command, we will lock the root account password so nobody can log in directly from the computer screen, and we will stop SSH from letting root log in over the network. This is not very hard to do even if you are new to Linux like me.
First we need to talk about the su command which is very dangerous if we do not fix it. The su command means substitute user and it let any user try to become the root user if they know the password. If a bad person hacks a simple user account on your system like a web server user, they can try to guess your root password using su command. We want to make it so only users inside a special group called wheel can use this command. Fedora and some other systems have this rule inside their files but it is turned off with a comment symbol.
To fix this you must open your terminal and run a special sed command that will find the line and turn it on. Here is the command you must type in your terminal.
sudo sed -i 's/^#(auth.*pam_wheel.so use_uid)/\1/' /etc/pam.d/suThis command looks very scary because it has many weird symbols like slashes and backslashes. Let me explain what it does in a very simple way. The sed tool is a program that can change text inside files without opening a text editor like nano or vi. The -i option means in-place which means it will save the changes directly to the file /etc/pam.d/su. The search pattern looks for a line that starts with a hash symbol and has auth and pam_wheel.so use_uid inside it. The hash symbol at the start means it is a comment and the computer ignores it. This sed command removes that hash symbol so the system now reads the rule and activates it.
After you run that command you must check if it worked correctly. You do not want to make a mistake here because it can break how users login. You can run this command to verify.
grep pam_wheel /etc/pam.d/suWhen you run this grep command it will search inside the file and print the line. You should see a line that looks like this without any hash symbol at the start of it.
auth required pam_wheel.so use_uidIf you see this line without the hash symbol it means now only users who are in the wheel group can use the su command to become root. If a normal user who is not in the wheel group tries to use su, the system will say permission denied even if they know the correct root password. This is very good for security because it stops bad users from guessing the root password.
Now we go to the second step which is locking the root account from direct console password login. If you have sudo access for all your admin users you do not need to log in as root directly. Logging in as root is very bad because you can make big mistakes and delete important system files by accident. If we lock the root password it means nobody can sit at the physical computer or use an emergency console to log in with the root password.
To lock the root account you need to run this command in your terminal.
sudo passwd -l rootThis command tells the system to lock the root account. The -l option means lock. When you run this the system changes the root password in a way that makes it impossible to use for logging in. But we must make sure it worked and see the status of the root account. You can do this with this command.
sudo passwd -S rootWhen you press enter you will see a line of text that tells you the status of the root user. You must look at the letters after the username. It should say root LK or something similar depending on your Linux version. The LK means locked. If you see LK it means the password is locked and no one can use it to log in from the console.
Sometimes you might have a big emergency and you really need to unlock the root account to fix your broken system. Do not worry because you can unlock it very easily if you have sudo access. You just need to run this command.
sudo passwd -u rootThe -u option means unlock. This will make the root account active again so you can use it. But you should only do this when you have a very big problem and then lock it again when you are finished fixing everything.
The third step is about SSH which is how we connect to our server over the internet. By default many servers allow the root user to log in over SSH. This is very dangerous because hackers can try millions of passwords using automated robots until they guess your root password. We must tell the SSH program to stop root from logging in.
To do this we need to edit the SSH configuration file. You can open it with a simple text editor like nano by running this command.
sudo nano /etc/ssh/sshd_configNow you need to scroll down the file and look for a line that says PermitRootLogin. It might have a hash symbol at the start or it might say yes. You need to change this line so it looks exactly like this.
PermitRootLogin noMake sure there is no hash symbol at the start of this line because if there is a hash symbol the computer will ignore it. After you change it you must save the file. In nano editor you do this by pressing Ctrl plus O and then Enter, and then you exit by pressing Ctrl plus X.
After you change the configuration file the SSH program does not know you changed it yet. You must restart the SSH service so it reads the new rules. You can do this by running this command.
sudo systemctl restart sshdOn some other systems like Ubuntu the service might be named ssh instead of sshd so if the command above gives an error you can try this command instead.
sudo systemctl restart sshNow you must test if everything is working correctly. Do not close your current terminal window yet because if you made a mistake you might lock yourself out of your server. Open a new terminal window on your personal computer and try to log in as root over SSH. It should reject you and say permission denied even if you type the correct password. Then try to log in with your normal user that has sudo power. It should let you log in. Once you are logged in as your normal user try to run a command with sudo to make sure you still have administrator power.
If everything works congratulations because your server is now much more secure than before. These three steps are very simple and they only take a few seconds to write but they protect your system from many common attacks for many years. You do not need to be a professional network engineer to make your server safe if you follow these simple instructions.
In conclusion we learned how to make our Linux server more safe by doing three quick things. First we locked the su command so only special wheel group members can try to become root. Second we locked the root account password so no one can use it at the physical computer screen. Third we blocked root from logging in over the internet using SSH config file. These settings are very easy to do but they are very important because they stop hackers from breaking into your system easily. You should always do this every time you create a new Linux server.