Disabling Root Login via SSH on FreeBSD Operating System

How to disable root login via SSH on FreeBSD operating system
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

Introduction

SSH (Secure Shell) is a critical protocol for remote system administration, providing encrypted communication between client and server. However, it’s also a common target for brute force attacks. One of the most effective security measures you can implement is disabling direct root login via SSH. This article provides a detailed guide to disabling root login via SSH on FreeBSD systems, explaining the reasons behind this security practice and offering step-by-step instructions for implementation.

Why Disable Root SSH Login?

Before diving into the technical steps, it’s important to understand why disabling root SSH login is considered a security best practice:

  1. Reduced Attack Surface: The root account is a known entity on all Unix-like systems, making it a primary target for attackers. By disabling direct root login, you eliminate a predictable attack vector.

  2. Accountability: When administrators use individual accounts and then escalate privileges as needed, system logs can accurately track who performed specific actions.

  3. Defense in Depth: Even if an attacker obtains your SSH port and attempts brute force attacks, they won’t know which user account to target for initial access.

  4. Privilege Separation: Following the principle of least privilege, administrators should use regular user accounts for normal operations and only elevate privileges when necessary.

Prerequisites

Before proceeding with disabling root SSH login, ensure you have:

  • Administrative access to your FreeBSD system
  • A regular user account with sudo/doas privileges
  • Basic knowledge of terminal commands and text editors
  • A backup of your current SSH configuration (recommended)

Step-by-Step Process

1. Create a Non-Root Administrative User

If you don’t already have a non-root user with administrative privileges, create one:

# Log in as root
adduser

Follow the prompts to create a new user. When asked about additional groups, add the new user to the wheel group, which allows sudo/doas access:

Login group is username. Invite username into other groups? []: wheel

2. Configure sudo or doas

FreeBSD provides two options for privilege escalation: sudo and doas. Choose one based on your preference:

Using sudo

Install sudo if not already installed:

pkg install sudo

Configure sudo by editing the sudoers file:

visudo

Uncomment the following line to allow members of the wheel group to execute any command:

%wheel ALL=(ALL) ALL

Using doas

Install doas if not already installed:

pkg install doas

Create a doas configuration file:

vi /usr/local/etc/doas.conf

Add the following line to allow members of the wheel group to execute any command:

permit :wheel

3. Test Your Administrative User

Before disabling root SSH login, verify that your administrative user can successfully use sudo/doas to execute commands with elevated privileges:

# Log in as your non-root user
sudo ls -la /root
# OR
doas ls -la /root

If you can successfully execute the command, your non-root user has the necessary privileges.

4. Modify SSH Configuration

Now that you have a working administrative user, you can modify the SSH configuration to disable root login:

# Use sudo/doas to edit the SSH configuration file
sudo vi /etc/ssh/sshd_config
# OR
doas vi /etc/ssh/sshd_config

Locate the PermitRootLogin directive. If it doesn’t exist or is commented out (prefixed with #), add it or uncomment it. Set its value to no:

PermitRootLogin no

If you want to be extra cautious, you can also consider changing the default SSH port and implementing other security measures. Additional recommended settings include:

# Disable password authentication (use key-based authentication instead)
PasswordAuthentication no

# Limit SSH access to specific users
AllowUsers yourusername

# Disable empty passwords
PermitEmptyPasswords no

# Disable X11 forwarding if not needed
X11Forwarding no

# Set a stricter authentication timeout
LoginGraceTime 30

5. Restart the SSH Service

After modifying the configuration, restart the SSH service to apply the changes:

# Using sudo
sudo service sshd restart
# OR using doas
doas service sshd restart

6. Test the New Configuration

Before closing your current SSH session, open a new terminal and attempt to log in as root via SSH:

ssh root@your_server_ip

If your configuration is correct, the system should deny the connection with a message like “Permission denied.”

Now, test logging in with your administrative user:

ssh your_username@your_server_ip

This should succeed, allowing you to perform administrative tasks using sudo/doas.

Additional Security Measures

While disabling root SSH login is an important step, comprehensive SSH security involves multiple layers of protection:

1. Key-Based Authentication

Instead of using passwords, implement SSH key-based authentication:

  1. Generate SSH keys on your client machine:

    ssh-keygen -t ed25519 -C "your_email@example.com"

  2. Copy the public key to your FreeBSD server:

    ssh-copy-id -i ~/.ssh/id_ed25519.pub your_username@your_server_ip

  3. Disable password authentication in your SSH configuration:

    PasswordAuthentication no

2. Firewall Configuration

Configure your FreeBSD firewall (pf, ipfw, or ipfilter) to limit SSH access to specific IP addresses or networks:

Using pf (Packet Filter)

Edit /etc/pf.conf and add rules like:

# Allow SSH only from specific IP addresses
pass in on $ext_if proto tcp from {192.168.1.0/24, 10.0.0.5} to any port 22

3. Fail2Ban Implementation

Install and configure Fail2Ban to protect against brute force attacks:

pkg install fail2ban

Configure Fail2Ban to protect SSH:

sudo vi /usr/local/etc/fail2ban/jail.local

Add the following configuration:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600

Start the Fail2Ban service:

sudo service fail2ban start

4. Regular Security Audits

Regularly audit your SSH configuration and system logs to identify potential security issues:

# Check for failed login attempts
sudo grep "Failed password" /var/log/auth.log

# Review SSH configuration
sudo sshd -T

Troubleshooting

If you encounter issues after implementing these changes, consider the following troubleshooting steps:

  1. Lost Access: If you lose access to your server, you’ll need to use the FreeBSD console (either physical or through your hosting provider’s management interface) to log in and correct the SSH configuration.

  2. Permission Issues: Ensure your administrative user has the correct permissions to use sudo/doas by checking group membership:

    groups your_username

  3. Configuration Syntax: If SSH fails to start, there might be syntax errors in your configuration. Check for errors in the system logs:

    sudo tail -f /var/log/auth.log

Conclusion

Disabling root login via SSH is a fundamental security practice for FreeBSD systems. By following the steps outlined in this guide, you’ve significantly enhanced your server’s security posture against common attack vectors. Remember that security is an ongoing process, not a one-time task. Regularly review and update your security measures to address new threats and vulnerabilities.

With root SSH login disabled, key-based authentication enabled, and additional security measures in place, your FreeBSD system is now better protected against unauthorized access attempts. This layered approach to security, often referred to as “defense in depth,” provides multiple barriers that potential attackers must overcome.

By implementing these best practices, you’re taking a proactive stance on system security, helping to ensure the integrity and availability of your FreeBSD server and the data it contains.


< How to Enforce Password Complexity PoliciesHow to Generate Self-Signed SSL Certificates >