Why should I really disable root ssh login?

I always read I should disable root login for SSH and login with a user which has sudo. But where is the difference between:

ssh root@vps

and

ssh myuser@vps
sudo -i

I don't have physical access to my server and need root permissions per remote access in some way. Is the only advantage here, that the username is unknown?

Security Tip: Disable Root SSH Login on Linux

One of the biggest security holes you could open on your server is to allow directly logging in as root through ssh, because any cracker can attempt to brute force your root password and potentially get access to your system if they can figure out your password.

It’s much better to have a separate account that you regularly use and simply sudo to root when necessary.

Brettetete

Posted 2015-11-27T16:45:54.223

Reputation: 2 057

Just disable passwords completely and use public key auth. Or at least use PermitRootLogin without-password. Also, take a look at this.

– Daniel B – 2015-11-27T16:50:02.483

1Because there isn't a good reason to allow root login? – Braiam – 2015-11-28T04:21:41.160

Because "root" is default admin login, so its easy target for SSH scanner. Also better install Fail2ban and login as normal user and the run "su" command – user956584 – 2015-12-21T17:25:37.780

Answers

You answered your own question. By disabling remote access to root in *Nix or administrator access in Windows, you make it that much harder for someone to gain privileged access to your computer. If someone steals or brute-forces your non-privileged account password, then they only have limited access.

Keltari

Posted 2015-11-27T16:45:54.223

Reputation: 57 019

:P Quick way of getting extra points! Well played that lad. Good answer though :) – Kinnectus – 2015-11-27T17:17:33.800

5" If someone steals or brute-forces your non-privileged account password, then they only have limited access." - Wrong if they can just run sudo -i and retype the password! – user253751 – 2015-11-27T21:14:44.047

@user20574 incorrect. – Keltari – 2015-11-27T21:16:25.530

@Keltan Why is it incorrect? – user253751 – 2015-11-27T21:17:36.380

1@user20574 you are making the assumption that the user has root privs. – Keltari – 2015-11-27T21:24:22.523

5@Keltan You read the question right? This is for a situation where some user needs to be able to use root privileges. – user253751 – 2015-11-27T21:27:08.773

The method used to gain access doesn't necessarily give them the user's password. – Tanath – 2015-12-04T20:48:33.540

root is a dangerous account since it can literally do anything it wants on the system. You want to protect it from unauthorized access as much as possible.

By disallowing root logins via SSH, you require 2 passwords for someone to gain root, instead of 1. If someone is trying to guess or crack your passwords, this doubles their workload.

@Daniel B. in the comments is right, using keys are better than passwords, if they are passphrase-protected.

The above still applies if you only allow passphrase-protected keys instead of passwords - and still disallow root from logging in even with a key. So even if you use keys instead of passwords there is a benefit from disabling direct root login via SSH.

LawrenceC

Posted 2015-11-27T16:45:54.223

Reputation: 63 487

You write "if you disable SSH login with passphrase-protected keys instead of passwords " <-- What does that mean? If you disable A instead of B. Do you mean if you Enable A(passphrase-protected keys) and disable B(passwords)? You could've written that more clearly. – barlop – 2015-11-27T18:31:32.490

Agreed, I edited. :) – LawrenceC – 2015-11-27T18:47:47.323

1Two passwords to gain root is with su. For sudo (like in the question's example and quoted advice) this is the same password, so there's only one (that you might need to type more than once). – Dan Getz – 2015-11-28T02:31:58.130

1@DanGetz Depends. You can also require the target user’s (or root’s) password with sudo. // Also, I disagree about passwords on keys being required. Keys prevent brute force attacks (targeting sshd) either way. – Daniel B – 2015-11-30T08:23:20.220