Below article is a must read to harden your existing sshd configuration file
But how do we restrict a direct root user login?
Firstly ssh based direct root login must be diabled which can be done via sshd_config
Modify your /etc/ssh/sshd_config and make sure PermitRootLogin is disabled as shown below
# grep -i PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
PermitRootLogin no
By default the value would be yes, so change it to "no" and save your file follwed by a sshd service restart to make the changes affect
# systemctl restart sshd.service
Using this you disabled ssh based direct root login but what if someone gets access to the GUI console, which can be iLO for a physical blade and a GUI console for VMware via vnc or some other tool?
The above changes will not restrict a direct root login via console as that is not ssh
Disable direct root login via console
To achieve this clear the contents of "/etc/securetty"By default this file contains the content of all the terminals on which a direct root login would be allowed
# cat /dev/null > /etc/securetty
Now you can try to do a root login via console, and it should fail
I hope the article was useful.
