The first and most crucial step towards securing Linux servers and systems is preventing malicious parties from unrequired access. Proper user account control is one of the many ways to enhance your system's security.

A hardened user account prevents the system from the most common attack methods of horizontal or vertical privilege escalation. Hence, as a Linux system administrator, you are also responsible for protecting your server via effective security techniques.

This article covers some basic user account security controls to prevent unnecessary access and fix possible loopholes for system compromise.

1. Restrict Root Account Access

By default, every Linux system installation sets up a root account accessible to anyone from the outside via SSH. However, access to the root account via SSH or multiple user access inside the system can cause repudiation issues.

For instance, an attacker can brute force to log in as a root user and get access to the system.

To restrict unnecessary root access from inside/outside the Linux system, you can:

Create a New Superuser

To grant sudo or root permissions to a regular Linux user account, add the user to the sudo group as follows:

        usermod -aG sudo username
    

Now switch to the user account using the su command and verify its root privileges by issuing a command only accessible to the root user:

        su - username
sudo systemctl restart sshd

Enabling sudo permissions provides some good security benefits, such as:

  • You do not need to share root passwords with regular users.
  • It helps you check all the commands run by regular users, which means it stores the who, when, and where details of command execution in the /var/log/secure file.
  • Besides, you can edit the /etc/sudoers file to limit the superuser permissions of the regular users. You can use the command su -l to check the current root permissions of a user.

Disable Root SSH Login

To disable root SSH access on your system, first, open the main configuration file.

        sudo vim /etc/ssh/sshd_config
    

Now uncomment the following line to set root login permissions to no:

        PermitRootLogin no
    

Save the file and restart the sshd service by typing:

        sudo systemctl restart sshd
    

Now, whenever you try to SSH into the system as a root user, you'll receive the following error message:

        Permission denied, please try again.
    

2. Set Expiration Dates on Accounts

Another effective way to control unnecessary access is to set expiration dates on accounts created for temporary usage.

For instance, if an intern or an employee needs access to the system, you can set an expiration date during account creation. It's a precautionary measure in case you forget to manually remove or delete the account after they leave the organization.

Use the chage command with the grep utility to fetch account expiration details for the user:

        chage -l username| grep account

Output:

        Account expires : never
    

As shown above, it outputs no expiration date. Now use the usermod command with the -e flag to set the expiration date in the YYYY-MM-DD format and verify the change using the chage command above.

        usermod -e 2021-01-25 username
chage -l username| grep account

3. Improve Account Password Security

Enforcing a strong password policy is an important aspect of securing user accounts, as weak passwords enable attackers to easily break into your systems via brute-force, dictionary, or rainbow table attacks.

Choosing an easy-to-remember password may offer some convenience, but it also opens ways of opportunities for attackers to guess passwords with the help of online available tools and wordlists.

Set Password Expiration Date

Moreover, Linux offers some default options inside /etc/logins.defs file that allow you to set account password aging. Use the chage command and grep the password expiration details as follows:

        chage -l username | grep days
    

Variables

Default Value

Usage

Ideal Value

PASS_MAX_DAYS

9999

The default number of days to use a password which depends on the type of your account setup

40

PASS_MIN_DAYS

0

Prevents users from changing their password immediately

5

PASS_MIN_LEN

5

Forces the user to set passwords of a certain length

15

PASS_WARN_AGE

0

Warns the user to change the password before being forced to do so

7

For the in-use accounts, you can control the password aging with the help of the chage command to set PASS_MAX_DAYS, PASS_MIN_DAYS, and PASS_WARN_AGE to 40, 5, and 7.

        chage -M 40 -m 5 -W 7 username
    

Password Hashes

Another way to harden account password security is to store password hashes inside the /etc/shadow file. Hashes are one-way mathematical functions that take the password as an input and output a non-reversible string.

Earlier, on Linux systems, whenever a user entered their password to log in, the system generated its hash and cross-checked it against the one stored in /etc/passwd file.

However, there is a problem with the passwd file permission access, that is, anyone with system access can read the file and crack the hash with rainbow tables.

Hence, Linux now saves the hashes inside the /etc/shadow file with the following set of access permissions:

        ls -l /etc/shadow
---------- 1 root root 1626 Jan 7 13:56 /etc/shadow

It is still possible for you to install Linux with the old ways of storing hashes. You can modify that by running the pwconv command, such that it will automatically save the password hashes to the /etc/shadow file. Similarly, you can enable the other method (/etc/passwd file) using the pwunconv command.

4. Remove Unused User Accounts

A bad actor can exploit unused and expired accounts in the system, by renewing that account and making it appear like a legitimate user. To remove an inactive account and associated data whenever a user leaves the organization, first, find all the files related to the user:

        find / -user username
    

Then, disable the account or set an expiration date as discussed above. Don't forget to back up the files owned by the user. You can either choose to assign files to a new owner or remove them from the system.

Finally, delete the user account using the userdel command.

        userdel -f username
    

5. Restrict Remote Access to a Specific User Group

If you are hosting a web server on your Linux machine, you may need to allow only specific users to remote SSH into the system. OpenSSL allows you to limit users by cross-checking if they belong to a specific group.

For that, create a user group named ssh_gp, add the users you want to grant remote access to the group, and list the user group information as follows:

        sudo groupadd ssh_gp
sudo gpasswd -a username ssh_gp
groups username

Now, open the OpenSSL main configuration file to include the allowed user group ssh_gp.

        sudo vim /etc/ssh/sshd_config
AllowGroups ssh_gp

Remember to uncomment the line to ensure successful group inclusion. When done, save and exit the file and restart the service:

        sudo systemctl restart sshd
    

Maintaining User Account Security on Linux

Nowadays, most organizations host critical infrastructures like web servers, firewalls, and databases on Linux, and the compromise of any internal component poses a significant threat to the whole infrastructure.

Given the importance of the setup, managing and securing user accounts is a fundamental challenge faced by Linux administrators. This article has listed some security measures an account administrator must take to protect the system against potential threats due to unprotected user accounts.