Should I delete user "root" ?


I usually use user "root" to login and do admin
on any of my servers as it gives me full access
to everything.

However maybe using "root" or even having one named that
is silly as it means that someone now only has to guess
the password ( rather than username and the password).

Should I create a new user with full rights like "root" ?
And then delete user "root" ?

Or can I just change "root"s name to something else ?

For security, I occasionally change the password, but
I don’t know how secure that is.

Any suggestions ?
What do you guys do ?


The most important thing is to use a strong password and change it every year or so.

A strong password is longer than 8 characters, contains numbers, and upper/lower letters, and possibly punctuation. A strong password is not based on dictionary words, and generally looks random.

This is a strong password: kGjh4HH+TURy

This is not: joeiscool

We use public_key logins for ssh, and we do have a joeroot and a jamieroot account, but that’s just because neither of us can ever remember the regular root password (it’s strong!). If it were just my server, I’d set root to my usual strong password, and it wouldn’t be a problem to have it memorized. It’s when I have to keep up with more than a couple of strong passwords that it becomes a problem, and we have to introduce joeroot. :wink:

Is it bad practice to have windows remeber them for you and then just auto-fill them ?

I’m unfamiliar with this “Windows” of which you speak. (I use Linux on my desktop and laptop.) :wink:

But, I know what you mean. If your PC is reasonably secure, and not used by untrusted users, then it’s probably fine. But, keep in mind that when you have any form that has a “Username” and/or “Password” field on it, the browser will fill in your saved details…so, if you’re creating a new virtual server, if you aren’t paying attention you’ll create it with root as the user and with roots password. Virtualmin should prevent you from doing something dumb like that, but we had someone recently report the same symptoms (though I’m not convinced it was the same problem…he disappeared after I asked for clarification of how he got his system into that state). Anyway, the results of that can’t possibly be good. So, just be aware of that, if you do save your passwords.

I tend to save passwords on my desktop machine, but not on my laptop or Android phone (since the odds of my lappy or phone falling into the hands of someone I don’t trust are dramatically higher than my home PC).

Finally - your jamieroot, etc are these in addition to "root" ?

Yes, though they don’t have to be. I don’t think anybody even remembers our root password on anymore. It’s just that strong. :wink:

I guess that I add a "master-user" like that in the Webmin section

Yes, just grant the user full access to all modules. Webmin sort of defaults to being a root-level tool, so creating a root-level user is pretty easy.

A couple of additional thoughts on all this –

Some people make it so that root can’t log in over SSH – that instead, you have to log in as another user (where you have to know both the name and password) – and then su (or sudo) to root.

That’s an option in the /etc/ssh/sshd_config file (PermitRootLogin) – just make sure you verify that you can log in and su to root before disabling root’s ability to log in over SSH :slight_smile:

You can also set PermitRootLogin to “without-password”, which says that you can login remotely as root, but only if you’re using an SSH key.

i have a created a user that only has sufficient rights to create servers (Access to module virtual-servers).

i dont advice to keep any credentials on a windows operated machine. that OS has too many leaks and it’s not transparent at all.
1 little virus (and that happens quickly often without you knowing it) and your data is compromised

I also use keys to access my machines as root when I really need too (as per Eric’s advice: set PermitRootLogin to “without-password”).

Setting your static IP as the only one that can connect to your server (webmin configuration) adds another security layer.

I locked myself out of my admin console a while ago by using the @ character in my password - I had to get in via SSH to change it to an alphanumeric password.

After installing Virtualmin GPL, I would always clone the root account to another username something like @w3bM1n@. Then use a password combination as suggested by Joe. Logout, then login as the cloned user then proceed to delete the root account created by Virtualmin install script.

Oh, I should probably make it very clear that when we talk about deleting root, we’re talking about the Webmin root user. Not the system root user. You do not want to delete the system root user, ever, under any circumstances. You can set SSH to not allow root logins…but you should always have a system root user.

You say you have difficulty remebering your passwords.
Is it bad practice to have windows remeber them for you
and then just auto-fill them ?

Another thing I was thinking of doing is having a spreadsheet
with all my passwords on them.
Obviously I would not call it passwords.xls but something
boring like may-expenses.xls

Is that also a bad idea ?

Finally - your jamieroot, etc
are these in addition to "root" ?

I guess that I add a "master-user" like that
in the Webmin section