How do I disable root login in Ubuntu?

a while ago I gave root a password so I could log in as root and get some stuff done. Now I want to disable root login to tighten security, since I'm going to be exposing my serve to the internet. I've seen several ways of doing this (sudo passwd -l root, fiddling with /etc/shadow, and so on), but nowhere that says what the best/most sensible way of doing it is. I've done sudo passwd -l root but I've seen advice that says this can affect init scripts, and that it's not as secure as it looks since it still asks for a password if you try to log in, rather than flat out denying access. So what would be the way to achieve that?

EDIT: to clarify, this is for local login as root; I've already disabled remote login via SSH. Though trying to log in as root over SSH still prompts for root's password (which always fails). Is that bad?


It's debatable, to me, that disabling root is worth the potential issues. I have never tested a server configured in such a manner. My preference is to allow root local access only. If an attacker has physical access to your server, you can forget everything you've done to "secure" your install anyway.

Disable root ssh access by editing /etc/ssh/sshd_config to contain:

PermitRootLogin no

Fiddling with /etc/shadow, chsh -s /bin/false root all can be undone with a simple bootable CD/thumbdrive.

Update per your comment:

From help.ubuntu.com: "By default, the root account password is locked in Ubuntu". Please see the section "Re-disabling your root account" specifically. In order to reset the state of root's account, to install-default, use the following command:

sudo usermod -p '!' root

I assume you refer to remote login via ssh. Add the following line to /etc/ssh/sshd_config:

PermitRootLogin no

and the restart the ssh service

sudo service ssh restart

That should do the job and you can keep your root account as it is (or try to disable it anyway if you feel that is necessary).