CloudStick is a server control panel for developers and agencies that lets you manage cloud servers on AWS, DigitalOcean, Vultr, Linode, and Hetzner without using the command line. Plans start at $9/month — the Basic plan covers 1 server with unlimited websites; Pro at $19/month and Business at $49/month cover unlimited servers.

Will features I pay for ever get moved to a higher plan?

No. CloudStick is committed to keeping all features you currently pay for within your existing plan. New features may be added to higher tiers, but existing plan features will never be removed or require a forced upgrade.

What happens to my servers if I cancel CloudStick?

Your servers remain fully operational after cancellation. CloudStick does not host your servers — it manages them. If you cancel, you lose access to the CloudStick dashboard, but your servers continue running on your cloud provider.

Is there a free trial for CloudStick?

Yes. CloudStick offers a 7-day free trial on all paid plans with no credit card required. You can explore every feature and upgrade, downgrade, or cancel at any time during or after the trial.

SERVER HARDENING

June 24, 2026

How to Disable Root Login on a Linux Server

7 min read

CloudStick Team

Backend Developer

Share this article

Disable Root Login on Linux

Why Disabling Root Login Matters

Every Linux server has a root account with the same username: root. Attackers know this. Automated brute-force bots spend their entire lives trying password combinations against the root account on port 22. If root SSH login is enabled and an attacker guesses or obtains the root password, they have immediate, unrestricted access to your entire server.

Disabling root login forces attackers to guess both a valid username and the corresponding password — significantly raising the difficulty. Combined with SSH key authentication (which removes password-guessing entirely), root restriction is a foundational hardening step that should be applied to every production server.

Create a Sudo User Before Locking Root

Before you disable root login, you must have an alternative account with sudo privileges. Locking root without this will cut your admin access permanently.

PREREQUISITE: Log in as root and complete the steps below before modifying SSH configuration.

# Create new user (replace "deploy" with your preferred username)
adduser deploy
# Add to sudo group
usermod -aG sudo deploy
# Copy root authorized_keys to new user
rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy
# Test SSH login as the new user FROM A NEW TERMINAL
# ssh deploy@your-server-ip
# sudo whoami   # Must return "root"

Disable Root SSH Login

Open the SSH daemon configuration file and set PermitRootLogin to no:

sudo nano /etc/ssh/sshd_config
# Find and change:
PermitRootLogin no
# Also confirm these are set:
PasswordAuthentication no
PubkeyAuthentication yes
# Reload SSH (not restart — avoids dropping active sessions)
sudo systemctl reload ssh

WARNING: Keep your current session open. Open a new terminal and test that ssh root@your-server is now refused while ssh deploy@your-server still works before closing anything.

Note that PermitRootLogin prohibit-password is a softer option — it allows root login via SSH key but not password. For maximum hardening, use no to block root SSH entirely.

Lock the Root Account Locally

Disabling SSH root login still allows console root login (via cloud provider VNC or KVM). For a further layer of protection, lock the root account password so it cannot be used for local console auth either. You can still use sudo su from your sudo user to access root when needed.

# Lock the root password
sudo passwd -l root
# Verify root is locked
sudo passwd -S root
# Output should show "L" (locked): root L ...

To unlock the root account later if needed: sudo passwd -u root. With a locked root account, the only path to root privileges is via a sudo user — which is exactly the audit trail you want.

Test and Verify

Confirm your configuration is correct by testing both what should work and what should not:

# This should FAIL (Permission denied or connection refused)
ssh root@your-server-ip
# This should SUCCEED
ssh deploy@your-server-ip
# After login, verify sudo works
sudo whoami   # returns: root
# Check auth log for root login attempts
sudo grep "Invalid user\|Failed password\|ROOT LOGIN" /var/log/auth.log | tail -20

CloudStick User and Access Management

CloudStick's sudo and system user management feature lets you create, manage, and remove system users from the dashboard — no terminal required. When the agent is installed, root SSH login is disabled as part of the security baseline, and CloudStick manages server access through its own SSH vault rather than direct root credentials.

Team members added through CloudStick's team management panel get their own system user with appropriate permissions — no shared root passwords, no shared SSH keys. Each team member's access can be revoked independently from the dashboard when they leave a project.