We covered User Accounts Security best practices such as disabling root account login, setting password expiry date, setting password policies,etc. This was part of TryHackMe Linux System Hardening

Get Blue Team Notes

User Accounts Security in Linux

The root account carries with it tremendous power and hence risk. You are at risk of rendering your system unbootable with a simple mistake. Using a non-root account for everyday work is recommended to avoid sabotaging your system. However, root privileges are still needed for system maintenance, installing/removing software packages, and updating/configuring the system.

Use sudo

To avoid logging in as root, the better approach would be to have an account -created for administrative purposes- added to the sudoers, i.e. group who can use the sudo command. sudo stands for Super User Do and it should precede any command that requires root privileges.

Depending on the Linux distribution, we can add a user to the sudoers group in the following ways. Some distributions, such as Debian and Ubuntu, call the sudoers group sudo. In this case, you would need to issue the following command:

usermod -aG sudo username

  • usermod modifies a user account.
  • -aG appends to group.
  • sudo is the name of the group of users who can use sudo on Debian-based distributions.
  • username is the name of the user account you want to modify.

Other distributions, such as RedHat and Fedora, refer to the sudoers group as wheel. Consequently, you would need to issue the following command:

usermod -aG wheel username

The only difference is the name of the sudoers group.

Disable root

Once you have created an account for administrative purposes and added it to the sudo/wheel group, you might consider disabling the root account. A straightforward way is to modify the /etc/passwd and change the root shell to /sbin/nologin. In other words, edit /etc/passwd and change the line root:x:0:0:root:/root:/bin/bash to root:x:0:0:root:/root:/sbin/nologin.

Enforce a Strong Password Policy

The libpwquality library provides many options for password constraints. The configuration file can be found at:

  • /etc/security/pwquality.conf on RedHat and Fedora
  • /etc/pam.d/common-password on Debian and Ubuntu. You can install it using apt-get install libpam-pwquality

Here are a few example options:

  • difok allows you to specify the number of characters in the new password that were not present in the old password.
  • minlen sets the minimum allowed length for new passwords.
  • minclass specifies the minimum number of required classes of characters; a class can be uppercase, lowercase, and digits, among others.
  • badwords provides a space-separated list of words that must not be contained in the chosen password.
  • retry=N prompts the user N times before returning an error.

Disable Unused Accounts

As part of system maintenance, it is vital to disable user accounts that no longer need access to the system in question. For instance, these users might have moved to another department or quit the company.

You can disable a user account in the same way we would disable the root account. An easy way would be to edit the /etc/passwd file and set the shell of the user account we want to disable to /sbin/nologin.

Let’s say that we want to disable the account of the user Michael with username michael.

  • Enabled account: michael:x:1000:1000:Michael:/home/michael:/usr/bin/fish
  • Disabled account: michael:x:1000:1000:Michael:/home/michael:/sbin/nologin

We should do the same for local services. In other words, we should set the shell to sbin/nologin for all the local service accounts such as www-datamongo, and nginx, to name a few. The reason is that these services need accounts to run on the system but would never need to log in and access a shell. Any of these services could perhaps have an RCE (Remote Code Execution) vulnerability, and by setting the shell to nologin, we can at least prevent interactive logins for the account of the affected service.

Room Answers

What command can you use to create a password for the GRUB bootloader?

What does PBKDF2 stand for?

What does LUKS stand for?

We cannot attach external storage to the VM, so we have created a /home/tryhackme/secretvault.img file instead. It is encrypted with the password 2N9EdZYNkszEE3Ad. To access it, you need to open it using cryptsetup and then mount it to an empty directory, such as myvault. What is the flag in the secret vault?

There is a firewall running on the Linux VM. It is allowing port 22 TCP as we can ssh into the machine. It is allowing another TCP port; what is it?

What is the allowed UDP port?

What flag is hidden in the sshd_config file?
One way to disable an account is to edit the passwd file and change the account’s shell. What is the suggested value to use for the shell?

What is the name of the RedHat and Fedora systems sudoers group?

What is the name of the sudoers group on Debian and Ubuntu systems?

Other than tryhackme and ubuntu, what is the username that belongs to the sudoers group?

Besides FTPS, what is another secure replacement for TFTP and FTP?
What command would you use to update an older Red Hat system?

What command would you use to update a modern Fedora system?

What two commands are required to update a Debian system? (Connect the two commands with &&.)

What does yum stand for?

What does dnf stand for?

What flag is hidden in the sources.list file?

What command can you use to display the last 15 lines of kern.log?

What command can you use to display the lines containing the word denied in the file secure?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles