Protecting the root user in Ubuntu 20.04 Focal Fossa

Diego Germán González

4 minutes

Protecting the root user

I've been talking about mautic, an open source alternative for conducting digital marketing campaigns. My intention was to begin to explain from this article how to install it on a virtual private server. But, by pure accident I discovered something. My web host offers two types of images for the server version of Ubuntu 20.04; the original and one personalized by them. Customizing them saves installation time but unnecessarily complicates the installation of Mautic.

To cut it short, I wasted a day of research that could have saved me by using the original image, but, like some of The things I discovered may be useful to someone, I recycled them in this article.

Protecting the root user

User management

One of the differences between the original Ubuntu image and that of my hosting provider is that in the first I chose my username and password, while in the second a Root user was created and the password was automatically generated. .

Some Linux distributions ask you at the time of installation for two passwords, the user password and the root password. Root user can do absolutely whatever he wants with the system. For security reasons it is convenient to limit the use and create another user who has administrator powers, but who can be withdrawn in case of problems. That is why Ubuntu chooses not to create this type of user by default although it is possible to add it later.

When you log into Ubuntu, If you want to make important changes, you have to tell the operating system that you have the necessary authorizations. This is done by putting the password in the window that opens or by typing a statement preceded by the sudo command in the terminal.

The root user has his own command, su what pIt allows executing any command not only on your behalf but on behalf of any other user. Once you have entered the password you can do whatever you want with the system until you type exit In the terminal.

Instead, sudo It can only be executed on behalf of a single user, one command at a time and you must reset the password every 15 minutes.

It must be made clear that Ubuntu does have a Root user, but, since it does not have a password configured, it is as if it does not exist. To be able to enable it, you just have to write the following command:

sudo passwd root

Creating a new user with administrator powers

If you have a server or a computer that many people access and, for some reason, you have the Root user enabled, lor better is to take protective measures

To create the new user we write the command
sudo useradd nombre_de_usuario
Remember to replace username with the name of your choice.

Then we assign a password
sudo passwd nombre_de_usuario

The system will ask you to enter the password twice. Remember that you are using the terminal and you will not see what you are typing.

The program will offer to accept the default values ​​or fill in additional information. I suggest you accept the default settings.

Now we proceed to assign the new user administrator powers

usermod -aG sudo username

Protecting the root user

If your hosting provider created a root user for you, it has probably also generated a password that meets some security recommendations. It is recommended to change it with the command
code> sudo passwd root

Keep the following tips in mind:

  • Don't use words that can be found in the dictionary.
  • Combine symbols and alphanumeric characters.
  • Write a password as long as you can and use a manager to store it.

You can block the root user with the following command
sudo passwd -l root
And unlock it by assigning a new password with this:

sudo passwd root

Securing remote access

Remember that this article was intended to talk about virtual private servers. It is possible that your provider allows you to access the virtual server using the browser, but most likely you will access remotely using the SSH protocol.  An additional layer of security is to disable the use of the Root user remotely.

We do this with:
sudo nano /etc/ssh/sshd_config

We look for this line
PermitRootLogin

And when we find it we change Yes to No.

While we're at it, look for the following line:
PermitEmptyPasswords

And make sure it is set to NO

Save changes with CTRL + X


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.