You want to prevent the superuser, root, from logging in directly over a terminal or pseudo-terminal.
Edit /etc/securetty. This file contains device names, one per line, that permit root logins. Make sure there are no pseudo-ttys (pty) devices listed, so root cannot log in via the network, and remove any others of concern to you. Lines do not contain the leading "/dev/" path, and lines beginning with a hash mark (#) are comments. For example:
/etc/securetty: # serial lines tty1 tty2 # devfs devices vc/1 vc/2
If possible, don't permit root to log in directly. If you do, you're providing a route for breaking into your system: an outsider can launch (say) a dictionary attack against the terminal in question. Instead, users should log in as themselves and gain root privileges in an appropriate manner, as we discuss in Chapter 5.
securetty(5). Documentation on devfs is at http://www.atnf.csiro.au/people/rgooch/linux/docs/devfs.html.