8 Safe ways to disable the root account in Linux

8 Safe Ways to Disable the Root Account in Linux

The root user is the user who has full privileges in any Linux system. It has unlimited powers but is an ultimate security risk if not managed properly. Disabling root access is one of the best practices for Linux hardening because using sudo is more effective than direct root access.

Since the root user is granted absolute powers in such a way that any activity carried out by the root user can be critical to the system. Any errors made by the root user can disrupt the system's normal operations. Moreover, this account can be misused by being used accidentally or inappropriately.

Precaution: Before disabling root account access, ensure that you have an administrative account with sudo privileges to regain root access. If you don’t already have an admin user account, create a new one and add it to the sudo group, or add it directly to the sudoers file in /etc/sudoers.

In the Linux systems, the root account is the superuser that has full administrative privileges. you are new to the Linux and want to understand how the operating system works, read our beginner guide on What is Linux? An Introduction to Linux and Its Popular Distributions.

Add an admin user with the useradd command

#useradd -m -c “Admin User” admin

#passwd admin

Now add this user to the sudo group to take privileges as the root.

#usermod -a -G sudo admin

As you have a user with administrative privileges, now switch to that user and block the root access.

#su admin

Why Disable the Root Account

Disabling root access helps:

·         Prevent brute-force attacks

·         Minimize accidental system destruction

·         Improve auditing (sudo logs every command)

·         Enforce least-privilege access

·         Block remote or local unauthorized root sessions

The root account is part of the Linux user management system and has full control over the system. understanding how to manage the users and permissions in the Linux, read our tutorial on Managing Users and Groups in Linux – A Complete Guide for Beginners.

1. Lock the Root Account (Recommended Method)

Lock the root account so that it cannot authenticate.

#sudo passwd -l root

It adds! in the password hash, blocking login but keeps root available for internal processes.

2. Expire the Root Password

Force the root password to expire immediately.

#sudo passwd -e root

Root cannot log in until the password is reset.

Many Linux administrators disable root login to improve the server security, especially when using the remote access. You can learn how to secure the remote access by following our guide on How to Secure SSH Access on Linux.

3. Disable Root using usermod

Another way to lock the root account is by using usermod.

#sudo usermod -L root

Equivalent to passwd -l, prevents password authentication.

4. Disable Root Shell Access

Replace the root’s shell with /usr/sbin/nologin or /bin/false.

#sudo usermod –s /usr/sbin/nologin root

Or

#sudo usermod -s /bin/false root

Root cannot spawn a shell locally or via shell.

5. Remove Root Password

Delete the root password completely.

#sudo passwd -d root

Root cannot log in using a password, useful for systems that rely on sudo.

6. Disable Root Login Over SSH

The most common and important security practice to disable root over SSH. Edit the SSH configuration file.

#sudo nano /etc/ssh/sshd_config

Find the entry rootpermitlogin and set it to no if it is yes.

#PermitRootLogin no

After making the changes save the file, restart the sshd service with the command.

#sudo systemctl restart sshd

Prevents remote hacking attempts targeting root.

7. Disable Root TTY Console Login

Some distros (RHEL/CentOS) use /etc/securetty to manage root console access. This file allows you to specify the tty devices the root user is allowed to log in. Emptying this file will ensure that the root cannot log in to any devices connected to the computer.

Rename the original file and create an empty file to disable root access.

#sudo mv /etc/securetty /etc/securetty.bkp

#sudo touch /etc/securetty

#sudo chmod 600 /etc/securetty

Blocks the root login from physical terminals, but other programs like ssh, sudo, and su have access to the root account.

8. Remove Root Entry from /etc/passwd (Not Recommended)

Just comment out the root entry in /etc/passwd file but this is not recommended in production environments.

How to verify if Root is disabled

To verify the root account is disabled, check the status of the root account with this command.

#sudo passwd -s root

After restricting or disabling the root account, the administrators often monitor the system activity and the running processes to maintain the system stability. To learn how to manage the running tasks in the Linux, read our guide on Linux Process Management for Beginners – Complete Guide 2025.

Comparison Table: Ways to Disable Root Account

Method	Safe	Best Use Case
Lock Root (passwd -l)	Yes	General security hardening
Expire password	Yes	Temporary disable
Usermod -L root	Yes	Same as a lock
No root shell	Yes	SSH/access restriction
Delete password	Yes	Systems using sudo only
Disable root login	Critical	Internet-facing servers
Edit /etc/securetty	Distro-dependent	Prevent console logins
Remove root password from passwd	No	Not recommended

That’s for all now. One of the best and safest methods of hardening your Linux system is to disable root access. The above methods allow you to have full control over root access while maintaining system stability and security.

📌 Related Articles

• 10 Ways to Clear Bash Command Line History in Linux
• Effective Ways to Hide Files and Directories in Linux
• Monitor Linux System Performance with top and htop
• The Right Way to Secure SSH Access on Your Linux Server

Keep visiting seeklinux for more updates, give your comments below, and feel free to contact us.