How to secure Linux users

How-to simply and securely manage the various users and system accounts on a Linux box.

Article published on 14 August 2010
last modification on 29 May 2016

by Emeric Nasi


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

UNIX and GNU Linux are a true multiuser operating system.
When beginning to work on a Linux box, one can be afraid by the number of system and user accounts he may find in the /etc/passwd file. Multiuser capability is a great asset for a system but it needs to be secured. Here I will present a few tips to securely manage Linux user accounts.

Note : All the next features are automated in the Thylacine security hardening tool in the "Accounts weakness countermeasures" part

I. Detect and repair security holes

1.1 Empty passwords

Empy passwords might be the result of a successful attack and used as a backdoor. They can also be a simple misconfiguration by the system admin.
How to detect it :
awk -F':' '{ if ( $2 == ""  ) print $1 }' /etc/shadow
How to quick fix it :
Deactivate these accounts using the line below as root.
usermod -s /bin/false -L --expiredate 1 "$account"

Note : —expiredate 1 sets the account´s expire date to Jan 2, 1970

1.2 UID 0 accounts

Only root should have the UID 0. Another account with that UID is often synonymous to backdoor.
How to detect it :
awk -F':' '{ if ( $3 == "0"  ) print $1 }' /etc/passwd
How to fix it :
Disable account.
usermod -s /bin/false -L --expiredate 1 "$account"

II. Harden users security

2.1 System accounts

System accounts are non-human accounts. They are often used to run daemons (like servers). File access control can be combined with restrictions like a chroot jail to protect the system from a vulnerability in an application run by the system user.

Depending on the distrib sytem accounts do not use the same UID numbers.
For example on a Debian, system users UID will be set between 0 and 1000 whereas on a RedHat system users UID will be set between 0 and 500.
Informations about all users accounts can be found in the file /etc/login.defs. You can use the next line to specifically grab the min human user UID (the one after the last sytem UID). All UID below the min UID are used by sytem accounts.
cat /etc/login.defs | grep -E ^UID_MIN | sed -r 's/ +/ /g' | cut -d " " -f 2

All system accounts (except root) should not be allowed to run a shell. To remove shell from all system accounts ($UID_MIN is used to store the result of the previous command line) :

2.2 Root account

Root is the superuser special account and can be considered as both a system and a human user.
Root access is really powerful and should be restricted.
Root direct access should not be authorized through SSH. In order to do so, modify the file /etc/ssh/sshd_config and set the field PermitRootLogin to no.
Root console access can also be restricted. Edit the file /etc/securetty and comment every lines except tty1 vc/1 and console (adapt that to your needs).

2.3 Human user accounts

The first step to harden human users security is to use strong passwords.
You can force strong password usage using PAM modules.
PAM password config files have different locations depending on the distrib you are using. On Debian, Ubuntu, OpenSUSE the file is located at /etc/pam.d/common-password. On RedHat, CentOS, Fedora, Mandriva the file is located at /etc/pam.d/system-auth.
Edit that file, and replace the "password ... pam_cracklib.so" by the next line :
password required pam_cracklib.so try_first_pass retry=3 minlen=8 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0
Now new passwords must have at least one uppercase character, lowercase character, digit, and other (special) character and be at least 8 characters long.

Note : The previous line may require the installation of the pam_cracklib.so module (install the libpam-cracklib package).

The next step can be to force users to regularly change their password (however this can be discussed as it may become a burden to users and lead them to use simple passwords).
To force users to change passwords at least every 60 days (with one week warning) :
chage -M 30 -m 7 -W 7 $USER
Complementary to that you can configure PAM so that users cannot reenter the same password 10 times in a row. Edit the previously identified PAM file and append "remember=10" to the line "password ... pam_unix.so ..."

III. Users monitoring

3.1 Log login attempts

To log login attempts, create the file /var/log/wtmp.
To log bad login attempts, create the file /var/log/btmp.
To monitor all authentication information have a look at the /var/log/auth.log file (install logwatch might be a good idea to simplify your log monitoring).

3.2 Prevent bruteforce attacks

You can limit the maximum fail login attempts using faillog. For example, to limit the the maximum failed login attempts to 5 :
faillog -m 5 -u "$USER"

There are many more ways to manage accounts security on a Linux box (for instance I didn’t talk about all the SSH possibilities). These few tips might however be very useful to a Linux admin beginner.