How can I prevent root logins to my Linode over Lish?

This is a very astute question to ask! Taking proactive security measures to reduce your Linode's attack surface is a great way to help avoid the unwelcome surprise that it was accessed without your authorization.

Ensure that SSH and sudo is properly set up

Before proceeding with any of these methods, it is crucial to establish that you are able to access your Linode over SSH as a limited user, then become your Linode's root user on your Linode using the sudo application. After implementing these methods, this will be your only way to perform administrative functions requiring superuser access on your Linode.

From the way your question is worded, I imagine that you have already performed your initial SSH connection into your Linode account as described in our Getting Starting guide:

• Connect to Your Linode via SSH

After completing this task, it seems as though you had then created a limited user account on your Linode as described in this section of our Securing Your Server guide:

• Add a Limited User Account

Once you were able to perform this task, I imagine that you were then able to create a SSH keypair for this limited user and disable password- and root-based SSH logins as indicated in the Harden SSH Access section of that guide:

• Create an Authentication Key-pair
• SSH Daemon Options

If you have not already completed these steps, I would do so now, since they will be necessary to proceed with the rest of this answer's recommendations. In case you need to install sudo onto your Linode, you may reference this section of our Linux Users and Groups guide for further instructions on how to do so:

• Understanding Sudo

If everything here is set up correctly, you should get a "permission denied" error when attempting to SSH into your Linode as root (replace 0.0.0.0 with the actual IP address of your Linode):

$ ssh root@0.0.0.0
root@0.0.0.0: Permission denied (publickey).

However, you should not encounter any issues SSHing into your Linode as your limited user (again, replace 0.0.0.0 with the actual IP address of your Linode and limited_user as the actual name of your limited user account -- and the prompt you receive when logging into your Linode will almost certainly differ from this example):

ssh limited_user@0.0.0.0

Welcome to your Linode!
limited_user@0.0.0.0:~$ 

From here, you may then determine whether you are able to become the root user on your Linode by using the sudo command. As an example, running the sudo whoami command should give you the output root:

limited_user@0.0.0.0:~$ sudo whoami
root
limited_user@0.0.0.0:~$ 

If all of these steps appear to be in working order, you should not encounter any troubles implementing (or recovering from!) the rest of this answer's recommendations.

Locking the root account's password

It is quite easy to prevent logins as root by running the following command:

sudo passwd -l root

This command sets root's password information to a value that cannot possibly match any given password, effectively blocking direct logins as root via Lish even via brute force attempts.

In technical terms, this will add the ! character to the beginning of root's password hash in your Linode's /etc/shadow file. This initial ! character is what prevents any password from matching a login attempt into your Linode as root.

While this safeguard will likely thwart the vast majority of common login attempts as root, there are a number of other options that may provide some additional protection listed below.

Set the expiration date of root

It is possible to disable the root account using the following command:

sudo usermod --expiredate 1 root

This command will set the expiration date for the root account to January 2, 1970. As such, it should act as another safeguard against unauthorized root access into your Linode.

If this method seems strange to you, don't fret -- many Linux distributions list this command in the manual page for the passwd command as the preferred means to disable an account. If you have any doubts about this method, please feel free to check your Linode's own manual page on the subject by running man passwd on your Linode.

This should not disable access into your root account through sudo. If you are at all concerned about this, please don't hesitate to establish another SSH connection into your Linode and attempt to become root before running the above command. It is always possible to back out this command by re-running it with an empty expiration date, like so:

sudo usermod --expiredate root

Modifying the /etc/securetty file

The /etc/securetty file lists the terminal devices which permit root logins. For the sake of Lish, this file will include the ttyS0 device, which you may confirm by logging into your Linode via Lish and running the tty command:

$ tty
/dev/ttyS0

The devices in /etc/securetty are listed without the initial /dev/ component, so you will need to edit this file to remove the line reading ttyS0. You may alternately add a # character to the beginning of this line, which will turn it into a comment. This has the same effect as deleting the line, but will retain the line's comment for future reference. For even more security against root login attempts over any of these terminal devices, you may delete or comment out any or all of the other lines in this file.

Regaining access to your Linode if you lock yourself out

Like any security measure, these procedures may cause you to lock yourself out of your Linode, especially if you find yourself unable to access your Linode over SSH.

The first step for recovering your access would be to reset the root password on your Linode:

• Reset the Root Password on your Linode

This will allow you to use Lish to log back into your Linode directly as root and troubleshoot your usual access methods. You may review these guides to assist with these troubleshooting endeavors:

• Securing Your Server
• Troubleshooting SSH

Resetting the root password will undo the root account password lock method, so once you successfully troubleshoot your usual access methods, you will need to run sudo passwd -l root on your Linode again to reimplement this security measure.

However, resetting the root password will still block access into your Linode via Lish if you have removed or commented out the ttyS0 line in your /etc/securetty file. If this is the case, and you cannot SSH into your Linode as a sudo user to restore this access, you should be able to regain access into your Linode by updating the /etc/securetty file using Rescue Mode, potentially in addition to a root password reset.

Naturally, it is always a good idea to have working backups ready and available to recover from any number of issues on your Linode. Linode also offers a Backup Service, which you may use by themselves or in addition to other backup measures.

Conclusion

As indicated in this answer, there are a wide variety of methods that you can take to prevent root logins into your Linode while still retaining your administrative powers over it. As always, please feel free to post further advice or ask any questions you may have about these methods!

As astute as this question is and as complete as the answer is, if you are working on ssh(1) or your firewall and you screw up and lock yourself out, Lish is your only hope to get into your Linode to fix it. Since configuring both ssh(1) and the firewall requires you to be the super-user, blocking super-user logins from Lish may sound like a good idea but (IMHO) it really isn't.

Choose wisely, Grasshopper!

-- sw