{"id":2422,"date":"2015-09-18T10:57:27","date_gmt":"2015-09-18T07:57:27","guid":{"rendered":"https:\/\/upcloud.com\/global\/us\/resources\/tutorials\/manage-linux-user-account-security\/"},"modified":"2015-09-18T10:57:27","modified_gmt":"2015-09-18T07:57:27","slug":"manage-linux-user-account-security","status":"publish","type":"tutorial","link":"https:\/\/upcloud.com\/global\/resources\/tutorials\/manage-linux-user-account-security\/","title":{"rendered":"How to manage Linux user account security"},"content":{"rendered":"\n

Practising good control over your user accounts can be a big step toward a more secure cloud server<\/a>. Follow the examples in this guide to find out how to perform some of the basic user account management tasks, and how to implement a few added security measures.<\/p>\n\n\n\n

\n
Test hosting on UpCloud!<\/a><\/div>\n<\/div>\n\n\n\n

Adding a new user<\/h2>\n\n\n\n

One of the common security practices on any Linux machine is to avoid using the root account for day-to-day operations. If you have just deployed a new cloud server, of course, the only account on it will be root, so you will need to create a new username for yourself.<\/p>\n\n\n\n

adduser <username><\/pre>\n\n\n\n
Follow the user creation procedure to set a password and other information. On CentOS and other Red Hat variants, you will need to manually unlock the new account by setting the password with the next command.<\/p>\n\n\n\n
passwd <username><\/pre>\n\n\n\n
If you are going to be using this account for system management, give yourself sudo execution privileges. On Ubuntu servers, you can do this with the command below.<\/p>\n\n\n\n
adduser <username> sudo<\/pre>\n\n\n\n
Adding sudo permissions to users on CentOS is a little different, use the following instead.<\/p>\n\n\n\n
gpasswd -a <username> wheel<\/pre>\n\n\n\n
Debian users should note that the sudo access control system might not be installed by default. If it is missing, install it with the following.<\/p>\n\n\n\n
apt-get install sudo<\/pre>\n\n\n\n
Once installed, use the same command as with Ubuntu above to add your username to the sudoers list.<\/p>\n\n\n\n
Note that the group changes will only take effect after the next time the user logs in.<\/p>\n\n\n\n
With sudo permissions, you can perform all the same operations as the root account can, but without compromising on security. In case you are going to have more users on your server than just yourself, it is much safer to give them sudo privileges instead of sharing the root password with everyone. Using sudo over the root account is generally considered good practice overall.<\/p>\n\n\n\n
Disable root login<\/h2>\n\n\n\n
When you have your own account set up you should go ahead and disable SSH remote login for root. The OpenSSH server settings are defined in a configuration file, open it in an editor on Debian or Ubuntu with the next command.<\/p>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/pre>\n\n\n\n
With CentOS and other Red Hat variants, or if you just prefer using vi<\/tt> instead.<\/p>\n\n\n\n
sudo vi \/etc\/ssh\/sshd_config<\/pre>\n\n\n\n
Search for the authentication options and change the root login permission by setting it to no<\/tt> like below.<\/p>\n\n\n\n
PermitRootLogin no<\/pre>\n\n\n\n
Afterwards, just save the file and exit the text editor.<\/p>\n\n\n\n
Making changes to the SSH configuration file will require you to restart the service, on CentOS cloud servers use the following.<\/p>\n\n\n\n
sudo systemctl restart sshd<\/pre>\n\n\n\n
On systems running Ubuntu, the service is simply called ssh, the same will work with Debian.<\/p>\n\n\n\n
sudo service ssh restart<\/pre>\n\n\n\n
Password policies<\/h2>\n\n\n\n
If your server has more remote users than just yourself, implement and enforce reasonable password policies with a Linux PAM module called pam_cracklib.so. The module will check user passwords against dictionary words to help prevent weak password usage. You can also use it to set the minimum requirements for a new password like length and complexity.<\/p>\n\n\n\n
On Ubuntu and Debian systems, you need to install the module with the command below.<\/p>\n\n\n\n
sudo apt-get install libpam-cracklib<\/pre>\n\n\n\n
CentOS and other Red Hat variants already have it installed by default.<\/p>\n\n\n\n
With the module installed, open the configuration file in an editor on Ubuntu or Debian.<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/common-password<\/pre>\n\n\n\n
On cloud servers with CentOS, the file is stored under a different name, use the following.<\/p>\n\n\n\n
sudo vi \/etc\/pam.d\/system-auth<\/pre>\n\n\n\n
Installing the module on Ubuntu and Debian already pre-configures the password checks, so find the corresponding setting and edit it to look like the example below. On CentOS, depending on your version, you might need to add the whole following line to the configuration file.<\/p>\n\n\n\n
password required pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=1 ucredit=1 lcredit=1<\/pre>\n\n\n\n
The first parameter retry<\/tt> defines how many times the user gets to attempt again. The next minlen<\/tt> marks the minimum length of the password, while difok<\/tt> checks the maximum number of reused characters compared to the user\u2019s old password. The last 3 parameters set requirements for the password complexity, dcredit<\/tt> is a number of numerals, ucredit<\/tt> for upper case characters, and finally, lcredit<\/tt> is a number of lower case characters.<\/p>\n\n\n\n
Once you have set the password requirements to your liking, save the configuration file and exit the editor. Note that these policies only apply to regular user accounts, you as an administrator are still responsible for the root user password strength.<\/p>\n\n\n\n
Restrict SSH to specific user group<\/h2>\n\n\n\n
OpenSSH servers can limit user connections by cross-checking that they belong to the allowed group. This can be useful if you have multiple users which should not need to remote with SSH, or you just want the added security for example when running a web service or database with separate users from your own.<\/p>\n\n\n\n
Start by creating a new user group for this purpose, you can name the group whatever you wish, for this example, the group is called sshusers<\/tt>.<\/p>\n\n\n\n
sudo groupadd sshusers<\/pre>\n\n\n\n
Next, add your own username to the same new group.<\/p>\n\n\n\n
sudo gpasswd -a <username> sshusers<\/pre>\n\n\n\n
You can then check that your username was added to the group successfully.<\/p>\n\n\n\n
groups <username><\/pre>\n\n\n\n
The output will show all the groups the given username belongs to including a user group with the same name as the user.<\/p>\n\n\n\n
user : user sudo sshusers<\/pre>\n\n\n\n
With this done you can specify the allowed group for OpenSSH. To do this, open the configuration file in an editor.<\/p>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/pre>\n\n\n\n
If you do not have nano installed, or just prefer vi, use the following instead.<\/p>\n\n\n\n
sudo vi \/etc\/ssh\/sshd_config<\/pre>\n\n\n\n
You will need to add the line underneath the file, for example at the end.<\/p>\n\n\n\n
AllowGroups sshusers<\/pre>\n\n\n\n
Make sure your new configuration option is not commented out with the #<\/tt> sign in front of it, then save the file and exit the editor.<\/p>\n\n\n\n
Afterwards just restart your SSH server, on Ubuntu and Debian servers use this command.<\/p>\n\n\n\n
sudo service ssh restart<\/pre>\n\n\n\n
With CentOS and other Red Hat variants, the same can be done using the following instead.<\/p>\n\n\n\n
sudo systemctl restart sshd<\/pre>\n\n\n\n
With the new configuration, any user that does not belong to the allowed group will simply be denied access over SSH, even if their password was entered correctly. This will greatly reduce the chance of having a user password brute-forced, or guessed with dictionary lists, giving you a more secure cloud server.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","community-category":[253],"class_list":["post-2422","tutorial","type-tutorial","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial"}],"about":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/types\/tutorial"}],"author":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/comments?post=2422"}],"version-history":[{"count":0,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2422\/revisions"}],"wp:attachment":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/media?parent=2422"}],"wp:term":[{"taxonomy":"community-category","embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/community-category?post=2422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}