The difference between both commands is that, when we use “sudo”, we must enter the password to execute the command, but the superuser permissions disappear once the execution of the command is finished. However, with “su” we remain administrators in the terminal indefinitely, until we ourselves stop being root using the “exit” command and we regain our normal privileges.
Why disable the root account
As we can see, using the root account may seem, at first glance, somewhat more comfortable. But, in reality, it poses a significant danger to our safety. In addition, it is much more comfortable to use “sudo” than “su” because, in this way, we will only have to remember a master password (that of our user) instead of also having to remember the password of the root user.
If there are several users registered in the system, each of them can invoke “sudo” using their own password. If this password is exposed, it will be enough to change that password and other users will not even have to know that this has happened. On the contrary, if the password of the root user is exposed, in addition to endangering the entire system, it would have to be changed and shared with all other administrator users who use this account. And the more users know a password, the more likely it is to be exposed.
Prepare Linux to disable the root account
Generally, most Linux distributions allow users to use “sudo” to run, with the first user we create, tasks with elevated super-administrator permissions. However, it never hurts to check that this is possible, and that some other changes have not been made that prevent us from making use of it, before continuing.
We simply have to execute a command that requires elevated permissions (such as apt) preceded by the command “sudo” and check if, indeed, our user can make use of this tool. Linux will ask us to enter our user’s password before executing the command with elevated privileges.
If we do not have sudo installed, first of all, we will have to install it. And for this we will have no other option than to use “su” to perform the task with the root user permissions.
And finally, if we want to limit the users who can or cannot use the «sudo» command, we can use the «visudo» tool. This tool allows us to open a copy of the configuration file «/ etc / sudoers», and it will only allow us to save the changes when it is a valid configuration.
Lock the root account
At this point we will have already verified that, indeed, our user account can use the “sudo” command to execute tasks with elevated privileges. Then the time has come to deactivate the system’s root account to prevent anyone from using it, for better or for worse.
To do this, we simply have to open a terminal and execute the following command:
sudo passwd -l root
What this command does is lock the root user so that no one can use the “su” command or log in directly to a TTY using the “root” user along with his password. If we now try to execute “su” on the system, we will realize that Linux does not allow it. Now our distro is a bit more secure.
Other Security Tips for Linux
Although deactivating the Linux root account gives us an added security, there are other little tricks and some configurations that we can use to make our system much more secure.
For example, one of the fundamental factors for our system to be properly protected is make sure we always keep it updated. In addition to the programs that we have installed, we must also make sure that the Linux kernel (the Kernel) is also always up to date, as well as all the packages that are part of the operating system.
Another important point that we must take care of when protecting our Linux is have permissions controlled of all users. If something characterizes Linux, it is the great control it offers us over all this. Thanks to user and group permissions, we can configure to the millimeter what each user or each program can do and what not. Also configure the permissions of the folders, specifying who can enter them and read their data and who cannot.
One more aspect to keep in mind is to disable all unnecessary services. Linux typically enables a number of protocols to facilitate remote administration, but we most likely don’t need them. In that case, what we have to do is disable everything that we do not use (for example, FTP or Telnet) to prevent them from using those protocols to connect remotely to our PC.
Of course, it is also essential to ensure that use strong passwords to all users. And, your can be with a 2FA system, much better. In this way we will ensure that hackers cannot compromise our accounts with different attack techniques and that our equipment is connected to the Internet safely.