Optional Security - Disable root login

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Locked
sarmisak

Optional Security - Disable root login

Post by sarmisak »

Hi;

I love DietPi, it is the long lost server for my multiple Pi systems running all around my house and work.

I believe that there are some security issues which should be considered on the next release of DietPi, like starting with a normal user instead of using root for ssh access.

If you would like to secure your system please follow these steps;

Code: Select all

groupadd -g 1000 pi
useradd -g 1000 -u 1000 -m -s /bin/bash -d /home/pi pi
apt-get install sudo
usermod -G sudo pi
passwd pi
After applying all of the above, you should have a pi user available in /home/pi with your desired password. Try becoming "pi" user by typing

Code: Select all

su pi
and then try becoming root by typing

Code: Select all

sudo -s
It should ask for your password to become the super user (root). If you are not able to become root, very carefully type exit to go back to your root session from pi session and go over the previous steps since you are probably missing something. If everything is OK, now try to connect to your pi with the new user you have created;

Code: Select all

ssh pi@xxx.xxx.xxx.xxx
sudo -s
Now let's disable root password login, in /etc/default/dropbear change;

Code: Select all

DROPBEAR_EXTRA_ARGS=
to

Code: Select all

DROPBEAR_EXTRA_ARGS=-g
which would disable root password logins.

After this point you or someone else will not be able to login remotely with your root password. You will always have to login with your pi user (I'm sure you know that you can change that username if you want) and then become root which is a great way to secure a server setup from ssh brute force attacks.
User avatar
Fourdee
Site Admin
Posts: 2788
Joined: Tue Feb 06, 2007 1:36 pm

Re: add a normal user

Post by Fourdee »

sarmisak wrote:Hi;

I love DietPi, it is the long lost server for my multiple Pi systems running all around my house and work.

I believe that there are some security issues which should be considered on the next release of DietPi, like starting with a normal user instead of using root for ssh access.
Hi Sarmisak,

Great to hear your enjoying DietPi and many thanks for the guide to disable root login.

I'll make this post a sticky. I believe there may be other users who require more security from their DietPi install, or, simply want to add different users to the system.

Regarding adding non-root users to DietPi as default, i will look into it, however:
- DietPi is designed for home users.
- Root allows us to reduce the image size and package requirements across software installations greatly.
- Root also allows us to prevent file access issues across the users installation (Simplicity for end user).
- 99.9% of home users own a firewall router that will prevent any external access to their internal network (LAN).
- Users can also change their root password with dietpi-config.
- Users who require additional security will generally apply their requirements on all Linux installations automatically.

Thanks again,
Regards,
Dan
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal or become a DietPi patron.
Locked