There are few way of doing it and depends on which suitable to your environment.
Changing the root shell
Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin for root
This will prevent access to the root shell and log the attempt. The following programs are prevented from accessing the root account. The following programs are prevented from accessing the root account:
- login
- gdm
- kdm
- xdm
- su
- ssh
- scp
- sftp
Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs are not effected. The following programs are also not prevented from accessing the root acount
- sudo
- FTP cleitns
- email clients
For sudo, users are not allow to use #sudo -i to get access to root as this will load root profile settings and was prevented since we have make /sbin/nologin. However, you still can use #sudo -s
Disabling root SSH logins
Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.
This will prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account:
- ssh
- scp
- sftp
If you intend to allow public key to access to root access, then you can change the PermitRootLogin parameter to without-password