HOW CAN YOU SUCCESSFULLY RESTRICT ROOT LOGINS?

There are a number of methods used to restrict root logins on a given Linux server. There are also many good reasons to do so. The more commonly known methods of using sudo and su certainly apply, but if someone can log in as root, the requirements for sudo or su may no longer apply.

The /etc/securetty file is a list of devices that are considered secure, which the root user is allowed to log in via. For instance, most distributions will, by default, have tty1 through tty6 listed in this file, indicating that root is allowed to log in at the physical machine on consoles 1 through 6.

If the /etc/securetty file contains additional devices, such as ttyS0 or ttyS1, root logins can be done over the serial device. If you have a modem connected to your computer or a serial connection from another machine, root will be able to log in through the modem or from the machine's serial connection via a null-modem cable.

Allowing login attempts from a nonlocal source is not a good idea. In fact, the most secure alternative would be to make this an empty file. This will prevent root from logging in and will force you (and attackers) to authenticate as a valid user and su to become root. Potential attackers will need to have a valid login name and two passwords, which makes it more difficult for them, thereby keeping most attackers off of your system as root. One caveat: If /etc/securetty does not exist, root logins are not restricted. So, for maximum security, ensure that the file exists but is empty.