
How-to simply and securely manage the various users and system accounts on a Linux box.
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
UNIX and GNU Linux are a true multiuser operating system.
When beginning to work on a Linux box, one can be afraid by the number of system and user accounts he may find in the /etc/passwd file. Multiuser capability is a great asset for a system but it needs to be secured. Here I will present a few tips to securely manage Linux user accounts.
I. Detect and repair security holes
1.1 Empty passwords
Empy passwords might be the result of a successful attack and used as a backdoor. They can also be a simple misconfiguration by the system admin.
How to detect it :
awk -F':' '{ if ( $2 == "" ) print $1 }' /etc/shadow
How to quick fix it :
Deactivate these accounts using the line below as root.
usermod -s /bin/false -L --expiredate 1 "$account"
1.2 UID 0 accounts
Only root should have the UID 0. Another account with that UID is often synonymous to backdoor.
How to detect it :
awk -F':' '{ if ( $3 == "0" ) print $1 }' /etc/passwd
How to fix it :
Disable account.
usermod -s /bin/false -L --expiredate 1 "$account"
II. Harden users security
2.1 System accounts
System accounts are non-human accounts. They are often used to run daemons (like servers). File access control can be combined with restrictions like a chroot jail to protect the system from a vulnerability in an application run by the system user.
Depending on the distrib sytem accounts do not use the same UID numbers.
For example on a Debian, system users UID will be set between 0 and 1000 whereas on a RedHat system users UID will be set between 0 and 500.
Informations about all users accounts can be found in the file /etc/login.defs. You can use the next line to specifically grab the min human user UID (the one after the last sytem UID). All UID below the min UID are used by sytem accounts.
cat /etc/login.defs | grep -E ^UID_MIN | sed -r 's/ +/ /g' | cut -d " " -f 2
All system accounts (except root) should not be allowed to run a shell. To remove shell from all system accounts ($UID_MIN is used to store the result of the previous command line) :
2.2 Root account
Root is the superuser special account and can be considered as both a system and a human user.
Root access is really powerful and should be restricted.
Root direct access should not be authorized through SSH. In order to do so, modify the file /etc/ssh/sshd_config and set the field PermitRootLogin to no.
Root console access can also be restricted. Edit the file /etc/securetty and comment every lines except tty1 vc/1 and console (adapt that to your needs).
2.3 Human user accounts
The first step to harden human users security is to use strong passwords.
You can force strong password usage using PAM modules.
PAM password config files have different locations depending on the distrib you are using. On Debian, Ubuntu, OpenSUSE the file is located at /etc/pam.d/common-password. On RedHat, CentOS, Fedora, Mandriva the file is located at /etc/pam.d/system-auth.
Edit that file, and replace the "password ... pam_cracklib.so" by the next line :
password required pam_cracklib.so try_first_pass retry=3 minlen=8 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0
Now new passwords must have at least one uppercase character, lowercase character, digit, and other (special) character and be at least 8 characters long.
The next step can be to force users to regularly change their password (however this can be discussed as it may become a burden to users and lead them to use simple passwords).
To force users to change passwords at least every 60 days (with one week warning) :
chage -M 30 -m 7 -W 7 $USER
Complementary to that you can configure PAM so that users cannot reenter the same password 10 times in a row. Edit the previously identified PAM file and append "remember=10" to the line "password ... pam_unix.so ..."
III. Users monitoring
3.1 Log login attempts
To log login attempts, create the file /var/log/wtmp.
To log bad login attempts, create the file /var/log/btmp.
To monitor all authentication information have a look at the /var/log/auth.log file (install logwatch might be a good idea to simplify your log monitoring).
3.2 Prevent bruteforce attacks
You can limit the maximum fail login attempts using faillog. For example, to limit the the maximum failed login attempts to 5 :
faillog -m 5 -u "$USER"
There are many more ways to manage accounts security on a Linux box (for instance I didn’t talk about all the SSH possibilities). These few tips might however be very useful to a Linux admin beginner.