These steps will outline how to harden your user accounts to lessen the risk that they will be compromise (and limit the damage able to be done if they are compromised).
We will assumes you have already created a new user account; if you haven't, just run the following command:
adduser -m -U USERNAME
passwd USERNAME
Now let's lock down our accounts!
- Let's restrict the root access to the system console only. Edit /etc/securetty and remove everything except for the following:
console
tty1
tty2
...
tty10
tty11 - Uncomment the following line in /etc/pam.d/su
auth required pam_wheel.so use_uid
- Uncomment the following line in /etc/sudoers
%wheel ALL=(ALL) ALL
- Add your new administrator user to the wheel group
usermod -G wheel USERNAME
- Now we will lock non-root system accounts and block shell access. Figure out the list of accounts by running the following (it will print a list of accounts with the associated UID):
awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
- Run the following commands on any non-root account with a UID less than 500:
usermod -L account
usermod -s /sbin/nologin account - For reference, this is a list of system accounts generally created on a fresh install:
bin
daemon
adm
lp
sync
shutdown
halt
mail
uucp
operator
games
gopher
ftp
nobody
dbus
rpc
abrt
vcsa
haldaemon
saslauth
postfix
rpcuser
nfsnobody
ntp
qemu
radvd
sshd
tcpdump
oprofile
avahi
rtkit
pulse
avahi-autoipd
mysql - Ensure passwords expire by editing /etc/login.defs
PASS_MAX_DAYS 360
For any accounts that have already been created, run the following to enforce the new rules:
PASS_MIN_DAYS 14
PASS_MIN_LENGTH 8PASS_WARN_AGE 32chage -M 360 -m 14 -W 7 admin
No comments:
Post a Comment
Thanks for contributing!! Try to keep on topic and please avoid flame wars!!