Manage user accounts

Create a root account

(To deepen see also: Wiki, the command line part there is not outdated.)

Reason: Who manages to enter the server with the user account, typically has spied out the user password. In such a scenario sudo offers no protection! For this reason here we create a fully-fledged root account with a separate password, and forbid sudo. Of course, this configuration requires discipline to use the root account absolutely only for administrative purposes, and to leave it as soon as possible.

Create a password for root and then type in the new password twice:

sudo passwd root

Unblock the root Account:

sudo passwd -u root

=> Console output “passwd: password expiry information changed”, if the command was successful.

Last forbid sudo by ejecting root from the group “sudo”, from now on with the regular root account:

deluser example sudo

In this tutorial example is meant as example for the user account name, which initially was used with sudo as login user. If no restricted login user exist on some special systems, create one with:

adduser example --ingroup users

Create an additional user account

For safety reasons, we run OpenSim with an own account, also only with limited user permissions. The advantage of this approach is that in the OpenSim account never a password must be typed in.

adduser maria --ingroup users

Test: Both users example und maria must be only in the group users now.
1) change the account with su <Account>
2) show the own groups with id -Gn

Supernumerary groups can be deleted with:

deluser <account> <group to delete>

Hardening SSH

(To deepen see also: Wiki)

Most scripted attacks point to standard ports and users. That is why we change SSH to an unusual port and allow only one specific user account (without root privileges).

Remark: Please prepare an up to date backup prior to these configuration steps. If you lock yourself out with a faulty SSH configuration, this is irrevocable!
Backstop: Most server hosting companies however offer some means of web based configuration system where you can boot from a rescue system and mount your corrupted root file system to correct the settings. Check with your provider, if they offer similar support.

Caution! Permit the newly configured SSH port in your firewall or once again you will be locked out!

1) In /etc/ssh/sshd_config change the port to the desired value e.g. 12345.
=> After a successful connection test via the new port, close port 22 in the firewall.

Caution! Before proceeding to the next step, make sure an additional user (without root privileges) already exists or once again you will be locked out! If not done so far, create a new (limited) user as described in the previous chapter.

2) In /etc/ssh/sshd_config change the following 5 parameters:
=> Parameter LoginGraceTime to “2m“, meaning 2 minutes time for login attempts
=> Parameter PermitRootLogin to “no
=> Parameter MaxAuthTries 3 to three login attempts
=> Parameter MaxSessions 1 to max. one simultaneous logged in user
=> Parameter AllowUsers example to the newly configured user (without root privileges)

Remark: The parameter AllowUsers does not exist in the example file, so you must add it manually below of the existing entries.

Tests:
=> Reboot the server and try if you can log in using your newly configured user account. If this fails, restore your backup…
=> Try to login as root, this must fail.

Remarks: It is still possible to use multiple shell windows. All logins of the same user from the same source machine count as one session. In the shell you can also change the current user account using su example where “example” must be a valid account on your system.


Continued: Time and language configuration

Scroll to Top